1

I'm having trouble getting a cache system to work with Joomla 3.x. This is especially a problem since the server should enforce HTTPS/TLS-connections.

The Joomla system runs on Apache2 on Debian Wheezy.

I've tried to setup Varnish but noticed Varnish can't terminate the TLS traffic, so I would need to route it back to Apache or HAProxy. But if I do that, Joomla will get confused with the request headers that are rewritten while the request is handed through all those layers and Joomla either ends stuck in a redirect loop or replies with server errors.

Is there a clean way to put a cache are even a load balancer in front of Joomla without those redirect problems that stem from the SSL termination happening on another server?

Izzy
  • 795
  • 2
  • 8
  • 31

1 Answers1

2

As you mentioned. while Varnish does not handle SSL it is possible to use a SSL termination proxy which passes to Varnish. The SSL termination proxy can add or remove headers and change ports so you should be able to create a flow that avoids redirect loops.

Popular SSL termination proxies are Pound, Stunel, Nginx and HAProxy. The range of features you require should determine which you use. Recent versions of Nginx and HAProxy enable you to use SPDY and after a quick search I would say that there are currently more up to date guides for using Nginx and Varnish than the other balancers.

For Nginx as a SSL termination proxy the following is commonly suggested:

server {
        listen 443 ssl;

        server_name example.com;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

This is taking SSL from port 443, decrypting and passing it on to localhost port 80 . It is adding the X-Forwarded-Proto https header which indicate that this is(was?) SSL traffic. The config also adds other other headers that help in reading logs etc.

With Varnish listening on localhost:80 it will process the request just like normal traffic, passing it to Apache & Joomla.

In Apache you will need SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on.

All of this together should mean that Joomla figures out what is going on and behaves appropriately.

Taylor Taff
  • 463
  • 4
  • 9
  • Wonderful stuff, thank you, "SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on" just saved me a lot of headache! I was looking at proxying the back-end back to HTTPS after going through Varnish, which I really didn't want to do! This is much better! Thanks. –  Mar 30 '17 at 01:31