Comment by time4tea
7 days ago
just use the tool that does the job.
TLS in -> hitch or caddy Cache -> varnish/vinyl TLS out -> haproxy
Connect them up with Unix sockets, if you like.
7 days ago
just use the tool that does the job.
TLS in -> hitch or caddy Cache -> varnish/vinyl TLS out -> haproxy
Connect them up with Unix sockets, if you like.
because the topic keeps coming up, I now wrote the tutorial which we should have had years ago: https://vinyl-cache.org/tutorials/tls_haproxy.html
Thanks for this. You dont mention hitch though. Is that now deprecated/discouraged?
It hasn't seen much action in a while, but maybe thats cos it works?
fwiw; Varnish Software still maintains and supports hitch, but we can't say we see a bright future for it. Both the ergonomics and the performance of not being integrated into Varnish are pretty bad. It was the crutch we leaned as it was the best thing we could make available.
I would recommend migrating off within a year or two.
9 replies →
haproxy supports both the offload (client) and onload (backend) use case. This is the main reason for why I personally prefer it. I can not comment on how well hitch works in comparison, because I have not used it for years.
in my experience this has a lot more moving parts than it should.