-
Notifications
You must be signed in to change notification settings - Fork 157
A: Yes, most definitively. It is a bit cumbersome because v1.1.1 still requires the key, cert and dhparams in a single file, but at least the ACME client has native support for Hitch now.
Q: Is it possible to identify in VCL if a request to Varnish came in through the proxy protocol port or the regular http interface? (this is to detect if a request came in through hitch or not)
A: It is possible. std.port(local.ip) will give you the port number of the endpoint the request came in through. Compare that to the port number where you have PROXY listening.
Many backend applications require a HTTPS hint in X-Forwarded-Proto when making links to itself. Since Hitch does not know HTTP, this needs to be set in Varnish based on the connection parameters.
sub vcl_recv {
if ((std.port(local.ip) == 6086) && (std.port(server.ip) == 443)) {
set req.http.X-Forwarded-Proto = "https";
}
}
Assuming you have Varnish set up with a command line looking something like the following, with separate listen endpoints for HTTP (:80) and PROXY (:6081): -a :80 -a 127.0.0.1:6081,proxy.
import std;
sub vcl_recv {
if (std.port(local.ip) == 80 && req.http.host ~ "^(?i)example.com$") {
set req.http.x-redir = "https://" + req.http.host + req.url;
return(synth(301));
}
}
sub vcl_synth {
if (resp.status == 301) {
set resp.http.Location = req.http.x-redir;
return (deliver);
}
}
Q: How can I set up HSTS with Hitch?
A: Hitch is a so-called "dumb proxy", so any protocol-specific feature such as this will have to be handled elsewhere. With Hitch terminating HTTP TLS traffic in front of a Varnish Cache server, you can set the HSTS response header in your VCL:
sub vcl_deliver {
set resp.http.Strict-Transport-Security = "max-age=31536000; includeSubDomains";
}
Q: Sometimes I'm unable to connect to Hitch, what's happening?
A: It can be hard to tell without a better understanding of your overall system, you may be running into configurable limits.
See #274 for example.