1

There are many questions and answers here about how to best order the flow of traffic between Varnish and HAProxy to a backend web server. Many of these posts are very old and recommend that Varnish be placed between HAProxy and the web server. Primarily because Varnish does not support TLS.

Now that we have Hitch, I wonder if that's still the best approach. One of the goals is simplicity with as little moving parts as possible. I'd be okay sacrificing some performance in the name of simplicity.

My proposed solution is to put HAProxy between Varnish and the web server and offloading TLS to Hitch. [Diagram below].

varnish-hitch-haproxy-flow

Unencrypted HTTP traffic is handled by Varnish. HTTPS is handled by Hitch, which passes it over to Varnish using a dedicated port. Varnish sends any misses off to HAProxy to load balance between the web servers.

In the simplest form I have all the services on a single machine. If I wanted to scale up, I would create additional machines with the same setup and either share an IP between them, or use DNS round-robin. Or do both.

I'd like some feedback on this approach. Would it still better to use HAProxy in front? If so why and how.

Tuaris
  • 71
  • 2
  • 13

1 Answers1

2

Hitch

Hitch is still very much the way to go, because Hitch is so lightweight: its only job is to terminate TLS. Hitch doesn't even speak HTTP, it doesn't need to.

At Varnish Software, we can easily process more than 100 Gbps on a single Varnish node.

You can host Hitch on the same server as your Varnish and if you use Varnish 6, you can connect Hitch to Varnish using Unix Domain Sockets.

Please also make sure you enable the PROXY protocol on both Hitch and Varnish. This will ensure the original client IP is automatically added to the X-Forwarded-For header.

Enabling PROXY protocol support in Varnish combined with UDS is done by adding the following listening port to Varnish: -a /var/run/varnish.sock,PROXY,user=varnish,group=varnish,mode=666.

Enabling PROXY protocol support in Hitch is done through the following Hitch configuration: write-proxy-v2=on. A UDS connection to Varnish is made as follows in the Hitch configuration: backend=/var/run/varnish.sock.

HAProxy

However, I wouldn't add HAProxy because it adds extra complexity, and maybe just a little bit of overhead: Varnish is capable of intelligently loadbalancing traffic to the origin web servers.

Have a look at https://varnish-cache.org/docs/6.0/reference/vmod_generated.html#vmod-directors to learn about directors, which is Varnish's loadbalancing component.

If you define health probes on your different Varnish backends (in the VCL file), Varnish will know which ones are healthy and which ones aren't. You can dan use directors to do the following kinds of loadbalancing:

  • Round robin
  • Random
  • Fallback
  • Hashing
  • Sharding

Varnish will only consider directing traffic to a webserver which is healthy, given the chosen loadbalancing algorith.

Unless you have specific reasons to work with an extra loadbalancer in front of your webservers, just use Varnish's director feature.

Community
  • 1
Thijs Feryn
  • 1,166
  • 4
  • 5