我按照以下方式设置了我的Varnish服务器:
backend web1 {.host = "XXX.XXX.XXX.XXX"; .port = "80";}
backend web2 {.host = "XXX.XXX.XXX.XXX"; .port = "80";}
backend web3 {.host = "XXX.XXX.XXX.XXX"; .port = "80";}
backend web1_ssl {.host = "XXX.XXX.XXX.XXX"; .port = "443";}
backend web2_ssl {.host = "XXX.XXX.XXX.XXX"; .port = "443";}
backend web3_ssl {.host = "XXX.XXX.XXX.XXX"; .port = "443";}
director default_director round-robin {
{ .backend = web1; }
{ .backend = web2; }
{ .backend = web3; }
}
director ssl_director round-robin {
{ .backend = web1_ssl; }
{ .backend = web2_ssl; }
{ .backend = web3_ssl; }
}
# Respond to incoming requests.
sub vcl_recv {
# Set the director to cycle between web servers.
set req.grace = 120s;
if (req.http.X-Forwarded-Proto == "https" ) {
set req.http.X-Forwarded-Port = "443";
set req.backend = ssl_director;
} else {
set req.http.X-Forwarded-Port = "80";
set req.http.X-Forwarded-Proto = "http";
set req.backend = default_director;
}
...
}
如果我在浏览器中点击我的IP地址(没有SSL),但是如果我启用Pound(下面的配置),这是完美的:
ListenHTTPS
Address XXX.XXX.XXX.XXX #Local IP of the VarnishWebServer
Port 443
Cert "/etc/apache2/ssl/apache.pem"
AddHeader "X-Forwarded-Proto: https"
HeadRemove "X-Forwarded-Proto"
Service
BackEnd
Address 127.0.0.1
Port 80
End
End
结束
我得到503每次尝试点击本地IP地址(来自varnishlog -0):
11 RxURL c /favicon.ico
11 RxProtocol c HTTP/1.1
11 RxHeader c Host: XXX.XXX.XXX (Varnish Server IP Address)
11 RxHeader c Connection: keep-alive
11 RxHeader c Accept: */*
11 RxHeader c User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
11 RxHeader c Accept-Encoding: gzip,deflate,sdch
11 RxHeader c Accept-Language: en-US,en;q=0.8
11 RxHeader c X-Forwarded-Proto: https
11 RxHeader c X-SSL-cipher: DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
11 RxHeader c X-Forwarded-For: XXX.XXX.XXX.XXX (My Local machine IP)
11 VCL_call c recv lookup
11 VCL_call c hash
11 Hash c /favicon.ico
11 Hash c 198.61.252.81
11 VCL_return c hash
11 VCL_call c miss fetch
11 Backend c 14 ssl_director web2_ssl
11 FetchError c http read error: -1 0 (Success)
11 VCL_call c error deliver
11 VCL_call c deliver deliver
11 TxProtocol c HTTP/1.1
11 TxStatus c 503
11 TxResponse c Service Unavailable
11 TxHeader c Server: Varnish
...
11 ReqEnd c 1175742305 1391779282.930887222 1391779282.934647560 0.000097752 0.003678322 0.000082016
11 SessionClose c error
我看了我的http听众,我看到了:
root@machine:/etc/apache2/ssl# lsof -i -n|grep http
pound 7947 www-data 5u IPv4 63264 0t0 TCP XXX.XXX.XXX.XXXX:https (LISTEN)
pound 7948 www-data 5u IPv4 63264 0t0 TCP XXX.XXX.XXX.XXXX:https (LISTEN)
varnishd 8333 nobody 7u IPv4 64977 0t0 TCP *:http (LISTEN)
varnishd 8333 nobody 8u IPv6 64978 0t0 TCP *:http (LISTEN)
varnishd 8333 nobody 13u IPv4 65029 0t0 TCP XXX.XXX.XXX.XXXX:37493- >YYYY.YYYY.YYYY.YYYY3:http (CLOSE_WAIT)
apache2 19433 root 3u IPv4 31020 0t0 TCP *:http-alt (LISTEN)
apache2 19438 www-data 3u IPv4 31020 0t0 TCP *:http-alt (LISTEN)
apache2 19439 www-data 3u IPv4 31020 0t0 TCP *:http-alt (LISTEN)
pound 19669 www-data 5u IPv4 31265 0t0 TCP 127.0.0.1:https (LISTEN)
pound 19670 www-data 5u IPv4 31265 0t0 TCP 127.0.0.1:https (LISTEN)
XXX.XXX.XXX.XXX是清漆的WebServer的内部IP地址,YYYY.YYYY.YYYY.YYY是VCL中定义的后端系统之一的IP地址。
知道为什么我会继续获得503s吗?
更新
如上所述,Varnish不支持SSL,因此使用Pound可以将流量从443传输到80,但是当它完成时 - 它不能使用端口443(ssl_diretector)来为流量提供服务。删除ssl_director并使default_director成为主要的,完美地工作。
答案 0 :(得分:4)
Varnish的后端请求不支持HTTPS - Varnish和Apache之间的任何通信都必须是普通的HTTP。
我发现最有效的方法是将Apache配置为在端口443上说普通HTTP。这允许Apache生成正确的URL,例如何时需要重定向浏览器。
以下是配置它的方法:
# Listen on port 443, but speak plain HTTP
Listen X.X.X.X:443 http
# Setting HTTPS=on is helpful for ensuring correct behavior of scripting
# languages such as PHP
SetEnvIf X-Forwarded-Proto "^https$" HTTPS=on
<VirtualHost X.X.X.X:443>
# Specifying "https://" in the ServerName ensures that whenever
# Apache generates a URL, it uses "https://your.site.com/" instead
# of "http://your.site.com:443/"
ServerName https://your.site.com
</VirtualHost>
您当然需要从Apache配置中删除任何mod_ssl指令。