Outbound HTTPS for varnish backend instances
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	BBlack
	Aug 17 2015, 4:10 PM

Description

We need the ability for varnish backends to make outbound HTTPS connections in at least two scenarios:

For tier-1 cross-DC applayer traffic (e.g. cp2001.codfw.wmnet -> appservers.svc.eqiad.wmnet) - we don't have any known other solution to secure this traffic on inter-DC links at this time.
For inter-tier varnish-be->varnish-be traffic: IPSec is currently protecting this, but HTTPS has the potential to be operationally-better and make the current IPSec deployment less-critical, or open us to ditching the current host-based IPSec and waiting on tunnels of some kind.

Known options for making this happen:

Deploy an stunnel configuration locally on the varnish machines.
- The idea here would be to deploy stunnel with a separately-configured tunnel instance for each defined varnish backend.
- Instead of simply backending to appservers.svc.eqiad.wmnet:80 today, it would backend to localhost:12345 (unique port assignment), which is an stunnel configured to connect to appservers.svc.eqiad.wmnet:443.
- There could be other alternatives similar to stunnel, but stunnel looks like a legit/default option here.
- Significant Con: Yet another piece of software in the request flow for reliability/debugging woes.
Patch varnish3 ourselves for outbound HTTPS
- Possibly using Amazon's s2n library, as it could be much simpler than using OpenSSL directly.
- Would deepen the amount of source-level customization we're doing with Varnish3 today, which is already a long-term problem for maintainability and tech debt.
- Patch would probably be significantly difficult. This is not lightweight patchwork. There are risks we could make varnish less stable, make a security-affecting mistake in the code, and/or make it much more difficult to continue merging in upstream 3.0.x fixes.
Upgrade to Varnish4, and then create our own custom director module for outbound HTTPS
- Varnish4 does this already in the commercial Plus variant, but not open source. We could do the same, as open source.
- It's sad to redundantly re-do the upstream closed-source work here, but as a module in varnish4 it would be significantly cleaner than hacking it into varnish3.
- Depends on Varnish4 upgrade, which is significantly difficult and off in the Future for now, and may not ever happen if we find an alternative first.
Upgrade to something non-Varnish that supports outbound TLS out of the box:
- e.g. ATS: T96853
- As with the above, this is neither near-term nor easy

Related Objects
Search...

Status	Assigned	Task
Resolved	• ema	T108580 HTTPS for internal service traffic
Invalid	None	T109325 Outbound HTTPS for varnish backend instances
Resolved	• ema	T131499 Upgrade all cache clusters to Varnish 4
Resolved	• ema	T126206 Upgrade to Varnish 4: things to remember
Resolved	• ema	T128788 Port varnishlog.py to new VSL API
Resolved	• ema	T131353 Port remaining scripts depending on varnishlog.py to new VSL API
Resolved	• ema	T131501 Convert misc cluster to Varnish 4
Resolved	• ema	T134989 WDQS empty response - transfer clsoed with 15042 bytes remaining to read
Resolved	• ema	T131502 Convert upload cluster to Varnish 4
Resolved	BBlack	T131761 Solve large-object/stream/pass/chunked in upload cluster better
Resolved	• ema	T142076 Analyze Range requests on cache_upload frontend
Resolved	• ema	T142233 Varnish 4 stalls with two consecutive Range requests using HTTP persistent connections
Resolved	• ema	T131503 Convert text cluster to Varnish 4
Resolved	BBlack	T135696 Sort out vcl_deliver vs vcl_synth mess with v4 VCL
Resolved	• ema	T150660 Post Varnish 4 migration cleanup

Event Timeline

BBlack created this task.Aug 17 2015, 4:10 PM

BBlack raised the priority of this task from to Medium.

BBlack updated the task description. (Show Details)

BBlack added projects: Traffic, HTTPS, acl*sre-team.

BBlack added subscribers: faidon, Matanya, gerritbot and 2 others.

BBlack updated the task description. (Show Details)Aug 17 2015, 4:13 PM

BBlack set Security to None.

Updates on some exploration of option (2) above (actually looking at the varnish code and the APIs we'd be using in detail):

s2n - nice API, would be the simplest/cleanest option - not ready for us to use yet (client-side, client cert, cert-checking in general, configurability...)
GnuTLS - better than OpenSSL as an API choice, but like OpenSSL would be a significant chunk of work and code to review
OpenSSL - nice in that we have to maintain/care about fewer crypto libs, since we already use this for nginx. Slightly worse than the above for clean implementation...

At this point, I'm leaning towards doing a trial (perhaps incomplete, but proof-of-concept) patch for GnuTLS and seeing how that goes. I don't think we can wait on Varnish4/ATS to fix these problems, so options 3/4 aren't realistic in the near term. Option 1 (stunnel) is still on the table, depending on how well the patching work goes.

Raj_hunt added a subscriber: Raj_hunt.Sep 26 2015, 5:31 PM

Dzahn moved this task from Backlog to Big Picture on the HTTPS board.Dec 4 2015, 8:44 PM

Updates from the passage of time:

Varnish4 is happening and is a realistic blocker (for lots of things) these days, so we're almost certainly looking at something like option 3 (vmod for varnish4) at this point, whenever we can get back around to this.

• ema added a subscriber: • ema.Feb 26 2016, 12:05 PM

• ema added a project: Varnish.Apr 1 2016, 1:37 PM

Southparkfan awarded a token.Apr 12 2016, 9:45 PM

Southparkfan added a subscriber: Southparkfan.

BBlack added a subtask: T131499: Upgrade all cache clusters to Varnish 4.May 4 2016, 4:36 PM

BBlack added a project: codfw-rollout.May 4 2016, 4:50 PM

BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:44 PM

• ema closed subtask T131499: Upgrade all cache clusters to Varnish 4 as Resolved.Nov 24 2016, 3:07 PM

• Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:15 PM

There is no more varnish-be