How To Enable HTTPS for Varnish Cache using Hitch on CentOS/RHEL 8?

In today's world of internet security, enabling HTTPS on your website is crucial to ensure the privacy and safety of your users' data. One way to achieve this is by using Varnish Cache and Hitch, a lightweight TLS proxy, to offload SSL/TLS processing from Varnish.

In this article, we will guide you through the process of enabling HTTPS for Varnish Cache using Hitch on CentOS/RHEL 8.

Prerequisites

Before we begin, ensure that you have the following

• A CentOS/RHEL 8 server

• Root access to the server

• Varnish Cache and Hitch installed

• A valid SSL/TLS certificate and private key

If you don't have Varnish Cache and Hitch installed, you can install them by following these commands

sudo dnf install varnish hitch

Step 1: Configuring Hitch

First, we need to configure Hitch to listen on a port and forward requests to Varnish Cache. To do this, we will create a new configuration file /etc/hitch/hitch.conf.

Open the file in your favorite text editor

sudo nano /etc/hitch/hitch.conf

Add the following content to the file

# Listen on port 443
frontend = "[*]:443"

# Forward requests to Varnish Cache
backend = "[::1]:6081"

# Use the SSL/TLS certificate and private key
pem-file = "/path/to/your/certificate.pem"

Replace /path/to/your/certificate.pem with the path to your SSL/TLS certificate and private key.

Save and close the file.

Step 2: Configuring Varnish Cache

Next, we need to configure Varnish Cache to listen on the port that Hitch forwards to. Open the Varnish Cache configuration file /etc/varnish/varnish.params in your text editor

sudo nano /etc/varnish/varnish.params

Modify the listening port to match the backend port configured in Hitch

# Listen on port 6081 (should match Hitch backend)
VARNISH_LISTEN_PORT=6081

Save and close the file.

Step 3: Restart Services

Finally, restart the Hitch and Varnish Cache services to apply the new configurations

sudo systemctl restart hitch
sudo systemctl restart varnish

Enable the services to start automatically on boot

sudo systemctl enable hitch
sudo systemctl enable varnish

Security Enhancements

Use a Certificate Authority (CA)

Instead of using a self-signed SSL/TLS certificate, consider using a certificate issued by a trusted Certificate Authority (CA). This will improve the trustworthiness of your website and prevent warning messages from appearing in browsers.

You can obtain a certificate from a trusted CA by purchasing one from a commercial provider or using a free CA like Let's Encrypt.

Implement HSTS

HTTP Strict Transport Security (HSTS) is a security feature that instructs web browsers to only communicate with your website over HTTPS. To implement HSTS, add the following to your Hitch configuration file

# Enable HSTS for 1 year
tls-protos = TLSv1.2+
ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
hsts = on
hsts-max-age = 31536000
hsts-include-subdomains = on

Implement OCSP Stapling

Online Certificate Status Protocol (OCSP) Stapling improves performance and security by allowing the server to provide certificate revocation status to clients. Add the following to your Hitch configuration

# Enable OCSP Stapling
ocsp-dir = "/var/lib/hitch/ocsp"
verify-ocsp = on

Performance Optimizations

Enable HTTP/2

HTTP/2 significantly improves web page performance through features like server push, multiplexing, and header compression. To enable HTTP/2 in Hitch, add the following line to /etc/hitch/hitch.conf

# Enable HTTP/2
alpn-protos = h2,http/1.1

Cache Static Content

Caching static content like images, CSS, and JavaScript files can significantly improve website performance. Add the following to your Varnish Cache configuration file /etc/varnish/default.vcl

# Cache static content for 1 day
sub vcl_recv {
   if (req.url ~ "\.(jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|css|js)(\?.*|)$") {
      unset req.http.Cookie;
      set req.url = regsub(req.url, "\?.*$", "");
      set req.http.static = "YES";
      if (req.method == "GET") {
         return (hash);
      }
      return (pass);
   }
}

sub vcl_backend_response {
   if (bereq.http.static == "YES") {
      set beresp.ttl = 1d;
   }
}

Monitoring Performance

Monitor the performance of your setup using built-in tools. For Varnish Cache statistics

varnishstat

For Hitch statistics

hitch-stats --frontend=127.0.0.1:443

These tools provide valuable insights into performance metrics and help identify areas for improvement.

Conclusion

By following this guide, you have successfully enabled HTTPS for Varnish Cache using Hitch on CentOS/RHEL 8. This setup offloads SSL/TLS processing to Hitch while maintaining Varnish's caching benefits. Remember to keep your SSL/TLS certificates up-to-date and monitor performance regularly to ensure optimal security and performance.