Page MenuHomePhabricator

Inbound TLS for tier-1 varnish backend caches
Closed, InvalidPublic

Description

We should have a TLS layer available for inbound connections to the tier-1 varnish backend caches. The clients are other varnish instances (cross-tier between backends). We could possibly expand this to cover local frontend->backend within a single datacenter later as well, but that case isn't as critical and can be looked at afterwards. Since we already have an nginx tlsproxy running on these hosts for inbound frontend traffic, the easiest path here is probably to configure it to support an additional, separate listening port which proxies into the varnish backend instead of the frontend.

It would be best in terms of conflict with future/unknown other plans if we adopt per-cluster port numbers for this, and avoid conflicting with port-numbering plans in T107236.

Event Timeline

BBlack created this task.Aug 17 2015, 3:55 PM
BBlack raised the priority of this task from to Medium.
BBlack updated the task description. (Show Details)
BBlack added projects: Traffic, HTTPS, acl*sre-team.
BBlack added subscribers: faidon, Matanya, gerritbot and 2 others.
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:44 PM
BBlack closed this task as Invalid.Sep 23 2020, 4:38 PM

There is no more varnish-be