From many articles I found Varnish can’t work with SSL. Varnish does not support SSL, so we need to use another service as an SSL Termination Proxy, in our case that will be\u00a0Nginx.<\/p>\n
When a visitor opens your website over\u00a0HTTPS\u00a0on port\u00a0443\u00a0the request will be handled by Nginx which works as a proxy and passes the request to Varnish (on port 6081). Varnish checks if the request is cached or not. If it is cached, Varnish will return the cached data to Nginx without a request to the Magento application. If the request is not cached Varnish will pass the request to Nginx on port\u00a08080\u00a0which will pull data from Magento and Varnish will cache the response. Then also modify \/etc\/systemd\/system\/varnish.service file to change the varnish port back to 6081<\/p>\n Then modify \/etc\/varnish\/default.vcl<\/p>\n I use host “fontaineind.test” here because I have many local websites. Usually it’s enough to use “localhost”. Port 8080 is the nginx port as the backend server. After saving the changes, I need to restart varnish server:<\/p>\n Don’t forget to verify the varnish port is 6081 now. Just see it by typing<\/p>\n Then I need to modify also the nginx setting for fontaineind.test.<\/p>\n Modify it like this:<\/p>\n So if the user use non-https (port 80) url like http:\/\/fontaineind.test\/, It’d be redirected permanently (301) to https url like https:\/\/fontaineind.test\/. Please see<\/p>\n Then if the user entering the https site (port 443), it’d use varnish proxy (port 6081)<\/p>\n If the page request is already exist in the varnish cache, it’d be returned immediately. But if not, it’d look it in the backend server (nginx port 8080).<\/p>\n This is very tricky. Because I use many local website, I have to use ‘listen fontaineind.test:8080;’ instead of just ‘listen 8080;’. It must same with the backend host in \/etc\/varnish\/default.vcl. Don’t forget to modify env.php file in magento root (app\/etc\/env.php) like this:<\/p>\n So now varnish is working with SSL. Here is the response header on https:\/\/fontaineind.test\/ (after first refresh)<\/p>\n You can see ‘Age’ and ‘x-varnish’ values.<\/p>\n","protected":false},"excerpt":{"rendered":" Ref: https:\/\/blog.hauri.me\/magento-2-with-varnish-and-nginx-as-ssl-termination.html https:\/\/www.absolute-design.co.uk\/services\/magento-ecommerce\/using-nginx-for-ssl-termination-with-varnish-and-magento-2\/ https:\/\/linuxize.com\/post\/configure-magento-2-to-use-varnish-on-centos-7\/ https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins On a few last articles, I wrote about the Varnish and Nginx configuration also Self-signed certificate. Now I want to combine them all on my local magento 2 website https:\/\/fontaineind.test\/. When I run the site, the varnish is not working. I need to configure it (and Nginx) to make it … Continue reading “Configure Varnish, SSL, Nginx and Magento 2 On Ubuntu 16.04”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71,98,13,17,78],"tags":[],"class_list":["post-3578","post","type-post","status-publish","format-standard","hentry","category-magento","category-magento-tutorial","category-tutorial","category-ubuntu","category-ubuntu-16-04"],"_links":{"self":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts\/3578","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/comments?post=3578"}],"version-history":[{"count":6,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts\/3578\/revisions"}],"predecessor-version":[{"id":3587,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/posts\/3578\/revisions\/3587"}],"wp:attachment":[{"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/media?parent=3578"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/categories?post=3578"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/myprojects.advchaweb.com\/index.php\/wp-json\/wp\/v2\/tags?post=3578"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nIf a visitor opens your website without\u00a0SSL\u00a0on port\u00a080\u00a0then he will be redirected to the\u00a0HTTPS\u00a0on port\u00a0443\u00a0URL by Varnish. So here is the topology
\n![\"\"](\"http:\/\/myprojects.advchaweb.com\/wp-content\/uploads\/2019\/02\/Varnish_SSL_3.jpg\")
<\/a>I need to change the Varnish port back to 6081 because I need to redirect HTTP port 80 to HTTPS port 443. (This article said I can still use port 80 for varnish: https:\/\/medium.com\/magebit\/magento-2-full-ssl-with-varnish-d2cfed3d7df<\/a> also https:\/\/www.getpagespeed.com\/web-apps\/magento\/magento-2-nginx-config-ssl-termination-varnish<\/a>) But I keep the nginx port to 8080. So modify \/etc\/default\/varnish file like this:<\/p>\n...\r\n# Should we start varnishd at boot? Set to \"no\" to disable.\r\n#START=yes\r\nSTART=no\r\n...\r\nDAEMON_OPTS=\"-a :6081 \\\r\n -T localhost:6082 \\\r\n -f \/etc\/varnish\/default.vcl \\\r\n -S \/etc\/varnish\/secret \\\r\n -s malloc,256m\"\r\n...<\/pre>\n
ExecStart=\/usr\/sbin\/varnishd -j unix,user=vcache -F -a :6081 -T localhost:6082 -f \/etc\/varnish\/default.vcl -S \/etc\/varnish\/secret -s malloc,256m<\/pre>\n
...\r\nbackend default {\r\n .host = \"fontaineind.test\";\r\n .port = \"8080\";\r\n}\r\n...<\/pre>\nsudo service varnish restart<\/pre>\n
sudo service varnish status<\/pre>\n
teddy@teddy:~\/Documents\/works\/fontaineind$ sudo service varnish status\r\n\u25cf varnish.service - Varnish HTTP accelerator\r\n Loaded: loaded (\/etc\/systemd\/system\/varnish.service; enabled; vendor preset: \r\n Active: active (running) since Sen 2019-02-11 16:53:14 WIB; 13min ago\r\n Docs: https:\/\/www.varnish-cache.org\/docs\/4.1\/\r\n man:varnishd\r\n Main PID: 2379 (varnishd)\r\n CGroup: \/system.slice\/varnish.service\r\n \u251c\u25002379 \/usr\/sbin\/varnishd -j unix,user=vcache -F -a :6081 -T localhos\r\n \u2514\u25002389 \/usr\/sbin\/varnishd -j unix,user=vcache -F -a :6081 -T localhos\r\n\r\nPeb 11 16:53:14 teddy systemd[1]: Started Varnish HTTP accelerator.\r\nPeb 11 16:53:14 teddy varnishd[2379]: Debug: Platform: Linux,4.15.0-38-generic,x\r\nPeb 11 16:53:14 teddy varnishd[2379]: Platform: Linux,4.15.0-38-generic,x86_64,-\r\nPeb 11 16:53:14 teddy varnishd[2379]: Debug: Child (2389) Started\r\nPeb 11 16:53:14 teddy varnishd[2379]: Child (2389) Started\r\nPeb 11 16:53:14 teddy varnishd[2379]: Info: Child (2389) said Child starts\r\nPeb 11 16:53:14 teddy varnishd[2379]: Child (2389) said Child starts<\/pre>\n
teddy@teddy:~$ sudo gedit \/etc\/nginx\/sites-available\/fontaineind.test<\/pre>\n
# nginx = 443\r\n# varnish = 6081\r\n# nginx -> php-fpm = 8080\r\n\r\nserver {\r\n listen 443 ssl http2;\r\n server_name fontaineind.test;\r\n \r\n location \/ {\r\n # Pass the request on to Varnish.\r\n proxy_pass http:\/\/127.0.0.1:6081;\r\n\r\n # Pass a bunch of headers to the downstream server, so they'll know what's going on.\r\n proxy_set_header Host $host;\r\n proxy_set_header X-Real-IP $remote_addr;\r\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\r\n\r\n # Most web apps can be configured to read this header and understand that the current session is actually HTTPS.\r\n proxy_set_header X-Forwarded-Port 443;\r\n proxy_set_header X-Forwarded-Proto https;\r\n\r\n # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrites here.\r\n #proxy_redirect off;\r\n }\r\n ssl_certificate \/etc\/ssl\/certs\/fontaineind.test.crt;\r\n ssl_certificate_key \/etc\/ssl\/private\/fontaineind.test.key;\r\n \r\n ssl_protocols TLSv1.2 TLSv1.1 TLSv1;\r\n}\r\n\r\n\r\nserver {\r\n listen fontaineind.test:8080;\r\n #listen [::]:8080;\r\n #server_name fontaineind.test;\r\n\r\n set $MAGE_ROOT \/home\/teddy\/Documents\/works\/fontaineind;\r\n\r\n root $MAGE_ROOT;\r\n\r\n index index.php;\r\n autoindex off;\r\n charset UTF-8;\r\n error_page 404 403 = \/errors\/404.php;\r\n #add_header \"X-UA-Compatible\" \"IE=Edge\";\r\n client_max_body_size 100M;\r\n\r\n # PHP entry point for setup application\r\n location ~* ^\/setup($|\/) {\r\n root $MAGE_ROOT;\r\n location ~ ^\/setup\/index.php {\r\n fastcgi_split_path_info ^(.+?\\.php)(\/.*)$;\r\n fastcgi_buffers 1024 4k; \r\n fastcgi_read_timeout 600s; \r\n fastcgi_connect_timeout 600s;\r\n fastcgi_pass unix:\/run\/php\/php7.0-fpm.sock; #FOR AWS SERVER\r\n #fastcgi_pass 127.0.0.1:9000;\r\n #fastcgi_index index.php;\r\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\r\n include fastcgi_params;\r\n }\r\n\r\n location ~ ^\/setup\/(?!pub\/). {\r\n deny all;\r\n }\r\n\r\n location ~ ^\/setup\/pub\/ {\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n }\r\n }\r\n\r\n # PHP entry point for update application\r\n location ~* ^\/update($|\/) {\r\n root $MAGE_ROOT;\r\n\r\n location ~ ^\/update\/index.php {\r\n fastcgi_split_path_info ^(\/update\/index.php)(\/.+)$;\r\n fastcgi_pass unix:\/run\/php\/php7.0-fpm.sock; #FOR AWS SERVER\r\n #fastcgi_pass 127.0.0.1:9000;\r\n fastcgi_index index.php;\r\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\r\n fastcgi_param PATH_INFO $fastcgi_path_info;\r\n include fastcgi_params;\r\n }\r\n\r\n # Deny everything but index.php\r\n location ~ ^\/update\/(?!pub\/). {\r\n deny all;\r\n }\r\n\r\n location ~ ^\/update\/pub\/ {\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n }\r\n }\r\n\r\n location \/ {\r\n try_files $uri $uri\/ \/index.php?$args;\r\n }\r\n\r\n location \/pub\/ {\r\n location ~ ^\/pub\/media\/(downloadable|customer|import|theme_customization\/.*\\.xml) {\r\n deny all;\r\n }\r\n alias $MAGE_ROOT\/pub\/;\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n }\r\n\r\n\r\n location ~ ^\/pub\/static\/version {\r\n rewrite ^\/pub\/static\/(version\\d*\/)?(.*)$ \/pub\/static\/$2 last;\r\n }\r\n\r\n location \/static\/ {\r\n # Uncomment the following line in production mode\r\n # expires max;\r\n\r\n # Remove signature of the static files that is used to overcome the browser cache\r\n location ~ ^\/static\/version {\r\n rewrite ^\/static\/(version\\d*\/)?(.*)$ \/static\/$2 last;\r\n }\r\n\r\n location ~* \\.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {\r\n add_header Cache-Control \"public\";\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n expires +1y;\r\n\r\n if (!-f $request_filename) {\r\n rewrite ^\/static\/(version\\d*\/)?(.*)$ \/static.php?resource=$2 last;\r\n }\r\n }\r\n\r\n location ~* \\.(zip|gz|gzip|bz2|csv|xml)$ {\r\n add_header Cache-Control \"no-store\";\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n expires off;\r\n\r\n if (!-f $request_filename) {\r\n rewrite ^\/static\/(version\\d*\/)?(.*)$ \/static.php?resource=$2 last;\r\n }\r\n }\r\n\r\n if (!-f $request_filename) {\r\n rewrite ^\/static\/(version\\d*\/)?(.*)$ \/static.php?resource=$2 last;\r\n }\r\n\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n }\r\n\r\n location \/media\/ {\r\n try_files $uri $uri\/ \/get.php?$args;\r\n\r\n location ~ ^\/media\/theme_customization\/.*\\.xml {\r\n deny all;\r\n }\r\n\r\n location ~* \\.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {\r\n add_header Cache-Control \"public\";\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n expires +1y;\r\n try_files $uri $uri\/ \/get.php?$args;\r\n }\r\n\r\n location ~* \\.(zip|gz|gzip|bz2|csv|xml)$ {\r\n add_header Cache-Control \"no-store\";\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n expires off;\r\n try_files $uri $uri\/ \/get.php?$args;\r\n }\r\n\r\n add_header X-Frame-Options \"SAMEORIGIN\";\r\n }\r\n\r\n location \/media\/customer\/ {\r\n deny all;\r\n }\r\n\r\n location \/media\/downloadable\/ {\r\n deny all;\r\n }\r\n\r\n location \/media\/import\/ {\r\n deny all;\r\n }\r\n\r\n # PHP entry point for main application\r\n location ~ (index|get|static|report|404|503)\\.php$ {\r\n try_files $uri =404;\r\n fastcgi_pass unix:\/run\/php\/php7.0-fpm.sock; #FOR AWS SERVER\r\n #fastcgi_pass 127.0.0.1:9000;\r\n fastcgi_buffers 1024 4k;\r\n\r\n fastcgi_read_timeout 600s;\r\n fastcgi_connect_timeout 600s;\r\n # to configure profiler in Magento 2\r\n #fastcgi_param MAGE_PROFILER html;\r\n\r\n fastcgi_index index.php;\r\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\r\n #include fastcgi_params;\r\n #FOR DEVELOPMENT MODE ONLY - BEGIN\r\n fastcgi_param MAGE_IS_DEVELOPER_MODE true;\r\n fastcgi_param PHP_VALUE display_startup_errors=on;\r\n fastcgi_param PHP_VALUE display_errors=on;\r\n fastcgi_param PHP_VALUE html_errors=on;\r\n fastcgi_param PHP_VALUE log_errors=on;\r\n fastcgi_param PHP_VALUE error_log=\/home\/teddy\/Documents\/works\/fontaineind\/var\/log\/system.log;\r\n\r\n #FOR DEVELOPMENT MODE ONLY - END\r\n include fastcgi_params;\r\n #FOR DEBUGGING WITH XDEBUG - BEGIN\r\n #fastcgi_read_timeout 600;\r\n #FOR DEBUGGING WITH XDEBUG - END\r\n }\r\n\r\n #gzip on;\r\n #gzip_disable \"msie6\";\r\n\r\n #gzip_comp_level 6;\r\n #gzip_min_length 1100;\r\n #gzip_buffers 16 8k;\r\n #gzip_proxied any;\r\n #gzip_types\r\n #text\/plain\r\n #text\/css\r\n #text\/js\r\n #text\/xml\r\n #text\/javascript\r\n #application\/javascript\r\n #application\/x-javascript\r\n #application\/json\r\n #application\/xml\r\n #application\/xml+rss\r\n #image\/svg+xml;\r\n #gzip_vary on;\r\n\r\n # Banned locations (only reached if the earlier PHP entry point regexes don't match)\r\n location ~* (\\.php$|\\.htaccess$|\\.git) {\r\n deny all;\r\n } \r\n}\r\n\r\nserver {\r\n listen 80;\r\n server_name fontaineind.test www.fontaineind.test;\r\n #location ^~ \/.well-known\/acme-challenge {\r\n # root \/var\/www;\r\n #}\r\n location \/ {\r\n return 301 https:\/\/$server_name$request_uri;\r\n }\r\n}<\/pre>\n...\r\nserver {\r\n listen 80;\r\n server_name fontaineind.test www.fontaineind.test;\r\n ...\r\n location \/ {\r\n return 301 https:\/\/$server_name$request_uri;\r\n }\r\n}<\/pre>\n...\r\nserver {\r\n listen 443 ssl http2;\r\n server_name fontaineind.test;\r\n \r\n location \/ {\r\n # Pass the request on to Varnish.\r\n proxy_pass http:\/\/127.0.0.1:6081;\r\n\r\n # Pass a bunch of headers to the downstream server, so they'll know what's going on.\r\n proxy_set_header Host $host;\r\n proxy_set_header X-Real-IP $remote_addr;\r\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\r\n\r\n # Most web apps can be configured to read this header and understand that the current session is actually HTTPS.\r\n proxy_set_header X-Forwarded-Port 443;\r\n proxy_set_header X-Forwarded-Proto https;\r\n\r\n # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrites here.\r\n #proxy_redirect off;\r\n }\r\n ssl_certificate \/etc\/ssl\/certs\/fontaineind.test.crt;\r\n ssl_certificate_key \/etc\/ssl\/private\/fontaineind.test.key;\r\n \r\n ssl_protocols TLSv1.2 TLSv1.1 TLSv1;\r\n}\r\n...<\/pre>\n...\r\nserver {\r\n listen fontaineind.test:8080;\r\n ...\r\n}\r\n...<\/pre>\n
\nNOTE: Somehow the other local websites would be redirected to fontaineind.test. So if I open for example phpmyadmin.test:8080. It’d be redirected to fontaineind.test. This is not expected. So If I want to open phpmyadmin, I need to stop varnish then change ‘listen fontaineind.test:8080;’ to ‘listen 8080;’. I still dont know how to solve this problem.<\/p>\n...\r\n'http_cache_hosts' => \r\n array (\r\n 0 => \r\n array (\r\n 'host' => 'localhost',\r\n 'port' => '6081',\r\n ),\r\n ),\r\n...<\/pre>\n
accept-ranges: bytes\r\nage: 100\r\ncache-control: no-store, no-cache, must-revalidate, max-age=0\r\ncontent-encoding: gzip\r\ncontent-length: 118047\r\ncontent-type: text\/html; charset=UTF-8\r\ndate: Mon, 11 Feb 2019 10:12:09 GMT\r\nexpires: -1\r\npragma: no-cache\r\nserver: nginx\/1.10.3 (Ubuntu)\r\nstatus: 200\r\nvary: Accept-Encoding\r\nx-content-type-options: nosniff\r\nx-frame-options: SAMEORIGIN\r\nx-varnish: 131226 3\r\nx-xss-protection: 1; mode=block<\/pre>\n