I installed varnish as a cache frontend for my apache web server few weeks ago. In this process, I changed apache's listening address from my public ip to localhost. But, I was still using apache for my https sites (webmail and few other virtual hosts). Today, I setup pound as a SSL reverse proxy for apache and completly removed mod_ssl from my apache's configuration.

Even if pound is easy to set up, there is a pain point on this type of migration: in fact, apache is able to run an external command to get the passphrase in order to unlock the ssl private key, which pound is not capabale of.

Pound won't start if the SSL key is protected by a passphrase. Thus, on the migration process, one need to remove the pass phrase from the private key before starting pound. Needless to say, the private key must be properly protected.

If you're using tinyca for managing your certificates, follow how to get rid of the passphrase:

  • Do not forget to backup tinyCA data before doing any changes!

  • Find the private key file. It should be located in ~/.tinyCA/SITE/keys directory. Filenames are encoded using base64. ls | perl -MMIME::Base64 -ne 'print decode_base64($_)' ; echo will display them in an human readable format.

  • Remove the passphrase by openssl rsa -in INPUT_FILE -o OUTPUT

  • Check the new file with openssl rsa -check -in OUTPUT

  • Replace the old file with by the newly key.
  • Start tinyca2 and reexport the certificate and the private key.

Few years ago, switched my web site from a custom cms (written by Erwan Pinvidic) to moinmoin wiki engine. Some months (or years?), later I implemented an authentifcation plugin which is using my mail server as a credentials' provider. At that time, I wanted to use https for authentifcation and tried few things to force apache to redirect to https on specific url pattern, and I failed. At this stage, I modified my plugin to reject authentification if the login and password were sent over http and forgot all that stuff...

Few days ago, I setup varnish in front of my apache server and moved few http to https redirections from apache to varnish. And while updating varnish's configuration, I recalled my attempts with moinmoin's login page redirection and wanted implement this using varnish. And this time, I did it using the setup below:

sub vcl_recv {
if (req.http.host ~ "www.glennie.fr" && req.url ~ "\?action=login") {
       set req.http.x-host = req.http.host;
       set req.http.x-url = req.url;
       return(synth(750, "https://" + req.http.x-host + req.http.x-url));
    }
}


sub vcl_synth {
    if (resp.status == 750) {
      set resp.http.Location = "https://" + req.http.x-host + req.http.x-url;
      set resp.status = 301 ;
      return(deliver);
  }
}

So, don't worry if you don't succeed the first time. Try later using the right toolTM!


I installed varnish as HTTP accelerator in front of my apache server. Some of my sites can be accessed only via https. When accessed via http, clients get redirected to https (the redirection is done in the virtual host definition).
After varnish's installation, I wanted to move the redirection under varnish. In order to redirect browsers using varnish, edit /etc/varnish/default.vcl and add the following:

sub vcl_recv {
if (req.http.host ~ "webmail\.glennie\.fr" || req.http.host ~ "nagios\.glennie.fr" || req.http.host ~ "stats\.glennie\.fr") {
       set req.http.x-host = req.http.host;
       set req.http.x-url = req.url;
       return(synth(750, "https://" + req.http.x-host + req.http.x-url));
    }
}


sub vcl_synth {
    if (resp.status == 750) {
      set resp.http.Location = "https://" + req.http.x-host + req.http.x-url;
      set resp.status = 301 ;
      return(deliver);
  }
}


YMMV