Varnish TLS
•Download as PPTX, PDF•
0 likes•262 views
Hitch TLS is a small and fast TLS terminator that is bundled with Varnish Plus. It allows client-side TLS termination with Varnish Cache Plus handling encryption and decryption. TLS can also be used to encrypt connections to backends by adding ".ssl = 1" to backend definitions in Varnish. Hitch TLS supports features like OCSP stapling, PROXY protocol, and run-time reloads for updating certificates without interrupting service. Performance testing shows it can handle high throughput workloads with good scalability on commodity hardware.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Varnish TLS
Similar to Varnish TLS (20)
More from Varnish Software
More from Varnish Software (20)
Recently uploaded
Recently uploaded (20)
Varnish TLS
- 2. SSL/TLS with Varnish Plus ● SSL/TLS ● Client-side TLS with Hitch TLS ● TLS to the backend with Varnish Cache Plus
- 3. TLS basics TLS - standardised encryption protocol Confidentiality Authentication Integrity Lives on top of TCP, below HTTP TLS is originally based on SSL All SSL versions are broken TLS 1.2 is the one you should use
- 4. Hitch TLS ● A small and fast TLS terminator ● Developed by Varnish Software ● Hitch TLS is bundled with Varnish Plus ○ Official packages and support ● Based on the “stud” project by Bump Technologies ● Freely available. BSD license ● https://hitch-tls.org/
- 5. Event-driven using libev Non-blocking IO One main management process N child processes, doing the actual heavy lifting Architecture
- 6. Setup and configuration ● Official packages available with Varnish Plus ● Community packages for Debian and RHEL/Fedora (big thanks to Stig and Ingvar!) ● Latest release 1.4.1 (released last month) ● Configuration in /etc/hitch/hitch.conf
- 8. PROXY protocol ● Transmit client endpoints in a tiny preamble ● Specified by Willy Tarreau of HAProxy ● Example PROXYv1 header: PROXY TCP4 192.168.0.1 192.168.0.11 56324 443rn ● Supported in Varnish Cache Plus and in Varnish (4.1.0+) ○ VCL: client.ip, server.ip, remote.ip, local.ip
- 9. Run-time reloads Newly developed Hitch feature Seamlessly load new certificates and listen endpoints without interrupting service Hitch will re-read its config on SIGHUP # service hitch reload
- 10. OCSP stapling Revocation status as part of the TLS handshake Big win for browser page load time New in 1.3.0 Fully automated staple refreshes
- 11. Performance In short: very good Scales with any (reasonable) number of CPU cores Up to 3000 new connections per second per core (“SSL accelerator” cards not needed) Fills 10Gbit ethernet without much effort Tested with 500K certificates
- 12. Recent improvements Improved configuration flexibility (1.2.0) OCSP stapling (1.3.0) ALPN/NPN for HTTP/2 (1.4.0)
- 13. TLS to the backend Built into Varnish Cache Plus from 4.0.3r3 (June 2015) Add “.ssl = 1” to backend definition to use TLS
- 15. Backend TLS performance Some overhead to be expected in initiating new connections Once established the TLS connections are fast HTTP keep-alive helps
- 16. Summary You can do TLS/SSL both to the client and to the backend with Varnish Plus. All components are covered in Plus package. High performance is ensured. For most setups, no new hardware required.
- 17. Thank you