用于https的清漆 [英] Varnish to be used for https

问题描述

这是情况。我的客户端通过安全网络（https）与多个后端通信。现在，我想建立一个反向代理，主要负载平衡（基于头数据或cookie）和一点缓存。所以，我认为清漆可能有用。

Here's the situation. I have clients over a secured network (https) that talk to multiple backends. Now, I wanted to establish a reverse proxy for majorly load balancing (based on header data or cookies) and a little caching. So, I thought varnish could be of use.

但是，清漆不支持ssl-connection。正如我在很多地方读过的那样，引用Varnish本身不支持SSL终止。但是，我想要每一个联系，即。 client-varnish和varnish-backend将超过https。我不能在整个网络中的任何地方都有明文数据（有限制）所以没有别的东西可以用作SSL终结者（或者可以是？）。

But, varnish does not support ssl-connection. As I've read at many places, quoting, "Varnish does not support SSL termination natively". But, I want every connection, ie. client-varnish and varnish-backend to be over https. I cannot have plaintext data anywhere throughout network (there are restrictions) so nothing else can be used as SSL-Terminator (or can be?).

所以，这里是问题：

• 首先，这意味着什么（如果有人可以用简单的术语解释）Varnish本身不支持SSL终止。


• 其次，使用清漆实现这种情况是否合适？


• 最后，如果清漆不是一个好的竞争者，我应该切换到其他一些反向代理。如果是，那么哪种情况适合？ （HA，Nginx等）

推荐答案

这是什么意味着（如果有人可以用简单的术语解释）Varnish本身不支持SSL终止

what does this mean (if someone can explain in simple terms) that "Varnish does not support SSL termination natively"

这意味着Varnish没有内置 - 支持SSL。除非SSL由单独的软件处理，否则它无法在SSL路径中运行。

It means Varnish has no built-in support for SSL. It can't operate in a path with SSL unless the SSL is handled by separate software.

这是Varnish的作者的架构决策，他讨论了他的思考在2011年将SSL整合到Varnish中。

This is an architectural decision by the author of Varnish, who discussed his contemplation of integrating SSL into Varnish back in 2011.

他基于多种因素，其中最重要的是正确如果有的话，同时观察到事实上的SSL标准库是openssl，这是一个包含超过300,000行代码的迷宫式集合，他对该代码库既没有信心也没有对成本/效益比有利的可能性。

He based this on a number of factors, not the least of which was wanting to do it right if at all, while observing that the de facto standard library for SSL is openssl, which is a labyrinthine collection of over 300,000 lines of code, and he was neither confident in that code base, nor in the likelihood of a favorable cost/benefit ratio.

当时他的结论是不。

这不是我小时候想做的事情之一，如果我现在梦想它，我称之为噩梦。

That is not one of the things I dreamt about doing as a kid and if I dream about it now I call it a nightmare.

https://www.varnish-cache.org/docs/trunk/phk/ssl.html

他在2015年重新审视了这个概念。

He revisited the concept in 2015.

他的结论再次是不。

代码很难，加密代码是双加硬的，如果不是双平方硬的话，世界真的不需要另外一段代码在密码学中做了一半的工作。

Code is hard, crypto code is double-plus-hard, if not double-squared-hard, and the world really don't need another piece of code that does an half-assed job at cryptography.

...

当我看到像威利这样的东西时Tarreau的 HAProxy 我很难看到任何重大的改进机会。

When I look at something like Willy Tarreau's HAProxy I have a hard time to see any significant opportunity for improvement.

不，Varnish仍然不会添加SSL / TLS支持。

No, Varnish still won't add SSL/TLS support.

相反，在Varnish 4.1中我们添加了对Willys PROXY协议的支持，这使得它可以进行通信从SSL终止代理（如HAProxy）到Varnish的额外详细信息。

Instead in Varnish 4.1 we have added support for Willys PROXY protocol which makes it possible to communicate the extra details from a SSL-terminating proxy, such as HAProxy, to Varnish.

https://www.varnish-cache.org/docs/trunk/phk/ssl_again.html

此增强功能可以简化将varnish集成到具有加密要求的环境中，因为它提供了另一种在卸载的SSL设置中保留原始浏览器身份的机制。

This enhancement could simplify integrating varnish into an environment with encryption requirements, because it provides another mechanism for preserving the original browser's identity in an offloaded SSL setup.

这个场景是否适合使用清漆？

is this scenario good to implement using varnish?

如果您需要清漆，请使用它，并注意必须单独处理SSL。但是请注意，这并不一定意味着未加密的流量必须遍历您的网络......尽管这确实会导致更复杂且耗费CPU的设置。

If you need Varnish, use it, being aware that SSL must be handled separately. Note, though, that this does not necessarily mean that unencrypted traffic has to traverse your network... though that does make for a more complicated and CPU hungry setup.

其他任何东西都不能用作SSL-Terminator（或者可以是？）

nothing else can be used as SSL-Terminator (or can be?)

SSL可以在Varnish的正面卸载，并在Varnish的背面重新建立，都在运行Varnish的同一台机器上，但是通过单独的进程，在Varnish前后使用HAProxy或stunnel或nginx或其他解决方案。明确的任何流量都在一个主机的范围内运行，因此如果主机本身是安全的，可以说它不是漏洞，因为它永远不会离开机器。

The SSL can be offloaded on the front side of Varnish, and re-established on the back side of Varnish, all on the same machine running Varnish, but by separate processes, using HAProxy or stunnel or nginx or other solutions, in front of and behind Varnish. Any traffic in the clear is operating within the confines of one host so is arguably not a point of vulnerability if the host itself is secure, since it never leaves the machine.

如果清漆不是一个好的竞争者，我应该切换到其他一些反向代理吗？

if varnish is not a good contender, should I switch to some other reverse proxy

这完全取决于您在堆栈中的需求和需求，对您的成本/收益，您的专业水平，资源的可用性以及其他因素。每个选项都有自己的一组功能和限制，在同一个堆栈中使用多个选项肯定不是闻所未闻。

This is entirely dependent on what you want and need in your stack, its cost/benefit to you, your level of expertise, the availability of resources, and other factors. Each option has its own set of capabilities and limitations, and it's certainly not unheard-of to use more than one in the same stack.

这篇关于用于https的清漆的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！