Debian – Joomla behind caching server with SSL

cachedebianjoomlaPROXY

I'm having trouble getting a cache system to work with Joomla 3.x. This is especially a problem since the server should enforce HTTPS/TLS-connections.

The Joomla system runs on Apache2 on Debian Wheezy.

I've tried to setup Varnish but noticed Varnish can't terminate the TLS traffic, so I would need to route it back to Apache or HAProxy. But if I do that, Joomla will get confused with the request headers that are rewritten while the request is handed through all those layers and Joomla either ends stuck in a redirect loop or replies with server errors.

Is there a clean way to put a cache are even a load balancer in front of Joomla without those redirect problems that stem from the SSL termination happening on another server?

Best Answer

As you mentioned. while Varnish does not handle SSL it is possible to use a SSL termination proxy which passes to Varnish. The SSL termination proxy can add or remove headers and change ports so you should be able to create a flow that avoids redirect loops.

Popular SSL termination proxies are Pound, Stunel, Nginx and HAProxy. The range of features you require should determine which you use. Recent versions of Nginx and HAProxy enable you to use SPDY and after a quick search I would say that there are currently more up to date guides for using Nginx and Varnish than the other balancers.

For Nginx as a SSL termination proxy the following is commonly suggested:

server {
        listen 443 ssl;

        server_name example.com;
        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        location / {
            proxy_pass http://127.0.0.1:80;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header Host $host;
        }
}

This is taking SSL from port 443, decrypting and passing it on to localhost port 80 . It is adding the X-Forwarded-Proto https header which indicate that this is(was?) SSL traffic. The config also adds other other headers that help in reading logs etc.

With Varnish listening on localhost:80 it will process the request just like normal traffic, passing it to Apache & Joomla.

In Apache you will need SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on.

All of this together should mean that Joomla figures out what is going on and behaves appropriately.

Related Solutions

Can joomla be configured to browser through a proxy server

I am currently using this to set the proxy with my servers, it works on everythin except for joomla, so there's probably something being force in joomla's side.

http://php.net/manual/en/function.stream-context-set-default.php

Ssl – Force SSL not working either with Joomla or htaccess

You are checking the wrong variable in your rewrite condition.

Because you are using Amazon Elastic Load Balancer to terminate your SSL sessions, Apache in your instance is unaware that they came in via HTTPS, and does not set HTTPS.

ELB sets the X-Forwarded-Proto header to http or https depending on how the request was received. You can check this header instead, to effect the redirect.

RewriteEngine on 
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Best Answer

Related Solutions

Can joomla be configured to browser through a proxy server

Ssl – Force SSL not working either with Joomla or htaccess

Related Topic