I have an Apache reverse proxy that is serving content from another site over the Internet. There is an ssl cert between the user and the proxy and between the proxy and the origin server.
Apache benchmark consistently takes twice as long to retrieve the site from the proxy as directly from the origin server. I'm wondering what cache I could set up to speed this up.
I was trying varnish, but couldn't figure that out. I have this in as the proxy settings:
SSLProxyEngine On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /.well-known !
ProxyPreserveHost On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://freakingips.wpengine.com/
ProxyPassReverse / https://freakingips.wpengine.com/
You can see the problem here is that the proxyPass is already used to direct to the origin server, but that configuration would need to be used for the varnish cache, like so:
ProxyPass / http://127.0.0.1:80
So I'm wondering either how I can set varnish up on this configuration, or what other caching service might be better in this instance.
Best Answer
I like to think of how a request will flow through each part of the setup from the client to the final destination.
Varnish doesn't talk HTTPS to backends (proxied website) nor clients, so I think you should make a setup in the following way for each request:
Client requests https://yours.example.com -> Apache SSL (this is required for SSL support with Varnish) -> Varnish (caching layer) -> Apache http proxy (this will take care of fetching data from remote server and "strip" SSL for Varnish to understand the data)
So you end up with one Apache instance which has two virtual hosts, composing the "sandwich" setup above.
1. Apache SSL termination
This is Apache virtual host which will essentially do proxying of request to Varnish. Provided that Varnish is kept on the default port (and this is totally fine), the essential bit here would be:
This virtual host listens on SSL port 443, so this is where you'll have things like
SSLProxyEngine On, certificates, etc.2. Varnish
In your VCL, you'd setup the backend with port 80
3. Apache remote proxy
Final bit is interesting. This is where you will keep your existing directives:
But you need to not only have Apache proxy request to remove server via HTTPS but also deliver it via HTTP. This virtual host must be http only (no SSL directives there).
I'm not Apache expert, so Google might be your better friend : ) This thread seems to indicate that the
ProxyRequests offdirective is essential for https to http proxying.