Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SSL/TLS with Varnish Plus
Agenda
● SSL/TLS
● Client-side TLS with Hitch TLS
● TLS to the backend with Varnish Cache Plus
TLS basics
● TLS - standardised encryption protocol
○ Confidentiality
○ Authentication
○ Integrity
● Lives on top of TCP, ...
Hitch TLS
● A small and fast TLS terminator
● Developed by Varnish Software
● Hitch TLS is bundled with Varnish Plus
○ Off...
● Event-driven using libev
● Non-blocking IO
● One main management process
● N child processes, doing the actual heavy
lif...
Setup and configuration
● Official packages available with Varnish Plus
● Community packages for Debian and
RHEL/Fedora an...
PROXY protocol
● Transmit client endpoints in a tiny preamble
● Specified by Willy Tarreau of HAProxy
● Example PROXYv1 he...
Run-time reloads
● New in Hitch
● Seamlessly load new certificates and listen
endpoints without interrupting service
● Hit...
Performance
● In short: very good
● Scales with any (reasonable) number of CPU
cores
● Up to 3000 new connections per seco...
Future improvements
● Improved configuration flexibility (in beta now)
● OCSP stapling
● Shared session cache improvements...
TLS to the backend
● Built into Varnish Cache Plus from 4.0.3r3
(June 2015)
● Add “.ssl = 1” to backend definition to
use ...
Backend performance test
● nginx backend with TLS on 10Gb LAN
● wrk toward local Varnish
● Focus on latency, not throughput
Backend TLS performance
● On a LAN: costly, but still very fast
● On a WAN: smaller differences, but the extra
roundtrips ...
Backend TLS future
● Feature complete
● Ongoing support in Varnish Cache Plus
Summary
● You can do TLS/SSL both to the client and to
the backend with Varnish Plus
● All components are supported in Plu...
Questions?
Varnish SSL / TLS
Varnish SSL / TLS
Varnish SSL / TLS
Varnish SSL / TLS
Varnish SSL / TLS
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Varnish SSL / TLS

Download to read offline

Varnish Summit 2016

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Varnish SSL / TLS

  1. 1. SSL/TLS with Varnish Plus
  2. 2. Agenda ● SSL/TLS ● Client-side TLS with Hitch TLS ● TLS to the backend with Varnish Cache Plus
  3. 3. TLS basics ● TLS - standardised encryption protocol ○ Confidentiality ○ Authentication ○ Integrity ● Lives on top of TCP, below HTTP ● TLS is originally based on SSL ● All SSL versions are broken ● TLS 1.2 is the one you should use
  4. 4. Hitch TLS ● A small and fast TLS terminator ● Developed by Varnish Software ● Hitch TLS is bundled with Varnish Plus ○ Official packages and support ● Based on the “stud” project by Bump Technologies ● Freely available. BSD license ● https://hitch-tls.org/
  5. 5. ● Event-driven using libev ● Non-blocking IO ● One main management process ● N child processes, doing the actual heavy lifting Architecture
  6. 6. Setup and configuration ● Official packages available with Varnish Plus ● Community packages for Debian and RHEL/Fedora and FreeBSD ● Latest release 1.2.0-beta1 ● Configuration in /etc/hitch/hitch.conf
  7. 7. PROXY protocol ● Transmit client endpoints in a tiny preamble ● Specified by Willy Tarreau of HAProxy ● Example PROXYv1 header: PROXY TCP4 192.168.0.1 192.168.0.11 56324 443rn ● Supported in Varnish Cache Plus 4.0- and in Varnish 4.1. ○ VCL: client.ip, server.ip, remote.ip, local.ip
  8. 8. Run-time reloads ● New in Hitch ● Seamlessly load new certificates and listen endpoints without interrupting service ● Hitch will re-read its config on SIGHUP # service hitch reload
  9. 9. Performance ● In short: very good ● Scales with any (reasonable) number of CPU cores ● Up to 3000 new connections per second per core (“SSL accelerator” cards not needed) ● Fills 10Gbit ethernet without much effort ● Tested with 500K certificates
  10. 10. Future improvements ● Improved configuration flexibility (in beta now) ● OCSP stapling ● Shared session cache improvements ● ALPN/NPN for HTTP/2
  11. 11. TLS to the backend ● Built into Varnish Cache Plus from 4.0.3r3 (June 2015) ● Add “.ssl = 1” to backend definition to use TLS ● SNI on by default. ● Other options: disable SNI and certificate checking.
  12. 12. Backend performance test ● nginx backend with TLS on 10Gb LAN ● wrk toward local Varnish ● Focus on latency, not throughput
  13. 13. Backend TLS performance ● On a LAN: costly, but still very fast ● On a WAN: smaller differences, but the extra roundtrips will slow down the first request ● Once established the TLS connections are fast
  14. 14. Backend TLS future ● Feature complete ● Ongoing support in Varnish Cache Plus
  15. 15. Summary ● You can do TLS/SSL both to the client and to the backend with Varnish Plus ● All components are supported in Plus. ● High performance is ensured.
  16. 16. Questions?

Varnish Summit 2016

Views

Total views

993

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

8

Shares

0

Comments

0

Likes

0

×