Embed Size (px)
Citation preview
SSL/TLS with Varnish Plus
Agenda
● SSL/TLS● Client-side TLS with Hitch TLS● TLS to the backend with Varnish Cache Plus
TLS basics● TLS - standardised encryption protocol
○ Confidentiality○ Authentication○ Integrity
● Lives on top of TCP, below HTTP● TLS is originally based on SSL● All SSL versions are broken● TLS 1.2 is the one you should use
Hitch TLS
● A small and fast TLS terminator● Developed by Varnish Software● Hitch TLS is bundled with Varnish Plus
○ Official packages and support● Based on the “stud” project by Bump
Technologies● Freely available. BSD license● https://hitch-tls.org/
● Event-driven using libev ● Non-blocking IO● One main management process● N child processes, doing the actual heavy
lifting
Architecture
Setup and configuration● Official packages available with Varnish Plus● Community packages for Debian and
RHEL/Fedora and FreeBSD● Latest release 1.2.0-beta1● Configuration in /etc/hitch/hitch.conf
PROXY protocol● Transmit client endpoints in a tiny preamble● Specified by Willy Tarreau of HAProxy● Example PROXYv1 header:
PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n
● Supported in Varnish Cache Plus 4.0- and in Varnish 4.1.○ VCL: client.ip, server.ip, remote.ip, local.ip
Run-time reloads● New in Hitch● Seamlessly load new certificates and listen
endpoints without interrupting service● Hitch will re-read its config on SIGHUP
# service hitch reload
Performance● In short: very good● Scales with any (reasonable) number of CPU
cores● Up to 3000 new connections per second per
core (“SSL accelerator” cards not needed)● Fills 10Gbit ethernet without much effort● Tested with 500K certificates
Future improvements
● Improved configuration flexibility (in beta now)● OCSP stapling● Shared session cache improvements● ALPN/NPN for HTTP/2
TLS to the backend● Built into Varnish Cache Plus from 4.0.3r3
(June 2015)● Add “.ssl = 1” to backend definition to
use TLS● SNI on by default.● Other options: disable SNI and certificate
checking.
Backend performance test
● nginx backend with TLS on 10Gb LAN● wrk toward local Varnish● Focus on latency, not throughput
Backend TLS performance
● On a LAN: costly, but still very fast
● On a WAN: smaller differences, but the extra roundtrips will slow down the first request
● Once established the TLS connections are fast
Backend TLS future
● Feature complete● Ongoing support in Varnish Cache Plus
Summary
● You can do TLS/SSL both to the client and to the backend with Varnish Plus
● All components are supported in Plus.● High performance is ensured.
Questions?
