May 13, 2015
2 min read time

Flying pigs and SSL in Varnish Cache Plus

After quite a bit of time and discussion, I’m very happy to announce that we’ve finished implementing SSL in Varnish Cache Plus. We’re currently testing and documenting the software and a release will happen at our Varnish summit in Silicon Valley in early June.

Varnish Cache Plus is both a HTTP server and a HTTP client and both implementations will have SSL enabled. The HTTP Server, ie the client facing SSL is perhaps the most significant one, enabling Varnish Cache Plus to encrypt traffic between the client and Varnish.

Until now the only way of encrypting the communication has been to rely on a third-party product to do this. There are quite a few SSL proxies out there and most of them play quite nicely with Varnish. However, it seems there is a cost in having another vendor, even if the product is completely free and open. So, instead of recommending various SSL proxies we’ve made our own SSL proxy that tightly integrates with Varnish. 

On the “back side” of Varnish there is the HTTP client. The client is responsible for fetching content that is missing from the cache. We’ve added encryption here as well, enabling Varnish to fetch content over SSL. This might be interesting to you if you run a fully encrypted data center or if your origin server is in a different location than your Varnish servers are.

What about Varnish Cache?

The implementation is only available for Varnish Cache Plus subscribers. Poul Henning Kamp, the chief architect of Varnish Cache, is currently not interested in taking patches that include OpenSSL, so unless he changes his mind our implementation will stay proprietary. Hopefully we’ll be able to sway him as OpenSSLs track record gradually improves or another viable SSL library comes forward.

Edit: In all honesty I find PHK's arguments for keeping OpenSSL out of the codebase valid and strong, however, I do believe the world very much needs/wants Varnish to have built in SSL support and even if it might be slightly painfull I believe the gain will be worth the pain. We agree to disagree on the priorites here.

The technical details will be presented at the next round of Varnish Summits, in Silicon Valley and NYC. 

There are still a few seats left, so go ahead and register here to learn more about SSL in Varnish Cache Plus.