Outbound HTTPS for varnish backend instances
Open, NormalPublic
Actions

Description

We need the ability for varnish backends to make outbound HTTPS connections in at least two scenarios:

For tier-1 cross-DC applayer traffic (e.g. cp2001.codfw.wmnet -> appservers.svc.eqiad.wmnet) - we don't have any known other solution to secure this traffic on inter-DC links at this time.
For inter-tier varnish-be->varnish-be traffic: IPSec is currently protecting this, but HTTPS has the potential to be operationally-better and make the current IPSec deployment less-critical, or open us to ditching the current host-based IPSec and waiting on tunnels of some kind.

Known options for making this happen:

Deploy an stunnel configuration locally on the varnish machines.
- The idea here would be to deploy stunnel with a separately-configured tunnel instance for each defined varnish backend.
- Instead of simply backending to appservers.svc.eqiad.wmnet:80 today, it would backend to localhost:12345 (unique port assignment), which is an stunnel configured to connect to appservers.svc.eqiad.wmnet:443.
- There could be other alternatives similar to stunnel, but stunnel looks like a legit/default option here.
- Significant Con: Yet another piece of software in the request flow for reliability/debugging woes.
Patch varnish3 ourselves for outbound HTTPS
- Possibly using Amazon's s2n library, as it could be much simpler than using OpenSSL directly.
- Would deepen the amount of source-level customization we're doing with Varnish3 today, which is already a long-term problem for maintainability and tech debt.
- Patch would probably be significantly difficult. This is not lightweight patchwork. There are risks we could make varnish less stable, make a security-affecting mistake in the code, and/or make it much more difficult to continue merging in upstream 3.0.x fixes.
Upgrade to Varnish4, and then create our own custom director module for outbound HTTPS
- Varnish4 does this already in the commercial Plus variant, but not open source. We could do the same, as open source.
- It's sad to redundantly re-do the upstream closed-source work here, but as a module in varnish4 it would be significantly cleaner than hacking it into varnish3.
- Depends on Varnish4 upgrade, which is significantly difficult and off in the Future for now, and may not ever happen if we find an alternative first.
Upgrade to something non-Varnish that supports outbound TLS out of the box:
- e.g. ATS: T96853
- As with the above, this is neither near-term nor easy

Related Objects
Search...

Status	Assigned	Task
Open	None	T108580 HTTPS for internal service traffic
Open	None	T109325 Outbound HTTPS for varnish backend instances
Resolved	ema	T131499 Upgrade all cache clusters to Varnish 4
Resolved	ema	T126206 Upgrade to Varnish 4: things to remember
Resolved	ema	T128788 Port varnishlog.py to new VSL API
Resolved	ema	T131353 Port remaining scripts depending on varnishlog.py to new VSL API
Resolved	ema	T131501 Convert misc cluster to Varnish 4
Resolved	ema	T134989 WDQS empty response - transfer clsoed with 15042 bytes remaining to read
Resolved	ema	T131502 Convert upload cluster to Varnish 4
Resolved	BBlack	T131761 Solve large-object/stream/pass/chunked in upload cluster better
Resolved	ema	T142076 Analyze Range requests on cache_upload frontend
Resolved	ema	T142233 Varnish 4 stalls with two consecutive Range requests using HTTP persistent connections
Resolved	ema	T131503 Convert text cluster to Varnish 4
Resolved	BBlack	T135696 Sort out vcl_deliver vs vcl_synth mess with v4 VCL
Resolved	ema	T150660 Post Varnish 4 migration cleanup

Event Timeline

BBlack created this task.Aug 17 2015, 4:10 PM

BBlack raised the priority of this task from to Normal.

BBlack updated the task description. (Show Details)

BBlack added projects: Traffic, HTTPS, acl*sre-team.

BBlack added subscribers: faidon, Matanya, gerritbot and 2 others.

BBlack updated the task description. (Show Details)Aug 17 2015, 4:13 PM

BBlack set Security to None.

Updates on some exploration of option (2) above (actually looking at the varnish code and the APIs we'd be using in detail):

s2n - nice API, would be the simplest/cleanest option - not ready for us to use yet (client-side, client cert, cert-checking in general, configurability...)
GnuTLS - better than OpenSSL as an API choice, but like OpenSSL would be a significant chunk of work and code to review
OpenSSL - nice in that we have to maintain/care about fewer crypto libs, since we already use this for nginx. Slightly worse than the above for clean implementation...

At this point, I'm leaning towards doing a trial (perhaps incomplete, but proof-of-concept) patch for GnuTLS and seeing how that goes. I don't think we can wait on Varnish4/ATS to fix these problems, so options 3/4 aren't realistic in the near term. Option 1 (stunnel) is still on the table, depending on how well the patching work goes.

Raj_hunt added a subscriber: Raj_hunt.Sep 26 2015, 5:31 PM

Dzahn moved this task from Backlog to Big Picture on the HTTPS board.Dec 4 2015, 8:44 PM

Updates from the passage of time:

Varnish4 is happening and is a realistic blocker (for lots of things) these days, so we're almost certainly looking at something like option 3 (vmod for varnish4) at this point, whenever we can get back around to this.

ema added a subscriber: ema.Feb 26 2016, 12:05 PM

ema added a project: Varnish.Apr 1 2016, 1:37 PM

Southparkfan awarded a token.Apr 12 2016, 9:45 PM

Southparkfan added a subscriber: Southparkfan.

BBlack added a subtask: T131499: Upgrade all cache clusters to Varnish 4.May 4 2016, 4:36 PM

BBlack added a project: codfw-rollout.May 4 2016, 4:50 PM

BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:44 PM

ema closed subtask T131499: Upgrade all cache clusters to Varnish 4 as Resolved.Nov 24 2016, 3:07 PM

Phabricator_maintenance moved this task from Backlog to Acknowledged on the Operations board.Jan 26 2019, 8:15 PM