3. TLS basics
● TLS - standardised encryption protocol
○ Confidentiality
○ Authentication
○ Integrity
● Lives on top of TCP, below HTTP
● TLS is originally based on SSL
● All SSL versions are broken
● TLS 1.2 is the one you should use
4. Hitch TLS
● A small and fast TLS terminator
● Developed by Varnish Software
● Hitch TLS is bundled with Varnish Plus
○ Official packages and support
● Based on the “stud” project by Bump
Technologies
● Freely available. BSD license
● https://hitch-tls.org/
5. ● Event-driven using libev
● Non-blocking IO
● One main management process
● N child processes, doing the actual heavy
lifting
Architecture
6. Setup and configuration
● Official packages available with Varnish Plus
● Community packages for Debian and
RHEL/Fedora and FreeBSD
● Latest release 1.2.0-beta1
● Configuration in
/etc/hitch/hitch.conf
7.
8. PROXY protocol
● Transmit client endpoints in a tiny preamble
● Specified by Willy Tarreau of HAProxy
● Example PROXYv1 header:
PROXY TCP4 192.168.0.1 192.168.0.11 56324 443rn
● Supported in Varnish Cache Plus 4.0- and in
Varnish 4.1.
○ VCL: client.ip, server.ip,
remote.ip, local.ip
9. Run-time reloads
● New in Hitch
● Seamlessly load new certificates and listen
endpoints without interrupting service
● Hitch will re-read its config on SIGHUP
# service hitch reload
10. Performance
● In short: very good
● Scales with any (reasonable) number of CPU
cores
● Up to 3000 new connections per second per
core (“SSL accelerator” cards not needed)
● Fills 10Gbit ethernet without much effort
● Tested with 500K certificates
12. TLS to the backend
● Built into Varnish Cache Plus from 4.0.3r3
(June 2015)
● Add “.ssl = 1” to backend definition to
use TLS
● SNI on by default.
● Other options: disable SNI and certificate
checking.
13.
14. Backend performance test
● nginx backend with TLS on 10Gb LAN
● wrk toward local Varnish
● Focus on latency, not throughput
15.
16.
17.
18. Backend TLS performance
● On a LAN: costly, but still very fast
● On a WAN: smaller differences, but the extra
roundtrips will slow down the first request
● Once established the TLS connections are
fast
20. Summary
● You can do TLS/SSL both to the client and to
the backend with Varnish Plus
● All components are supported in Plus.
● High performance is ensured.