[wmf]

What's the deal with Antirez and PHK refusing to add TLS support?

[phkamp]

I'm not "refusing to add TLS support" I insist that the certificate is safely isolated in a separate process for security reasons. There are many ways to skin that cat.

[captn3m0]

Aside: Loved your bit talking about money and varnish in Gift Community[1]. And thanks for the Beerware License, I've started using it!

[1]: https://www.youtube.com/watch?v=tOn-L3tGKw0

[lofaszvanitt]

Varnish Enterprise has https support.

[perbu]

the whole point of varnish software keeping a public version of "vinyl cache" as "varnish cache" with TLS is to give people a way to access a FOSS version with native TLS.

I think TLS is table-stakes now, and has been for the last 10 years, at least.

[time4tea]

just use the tool that does the job.

TLS in -> hitch or caddy Cache -> varnish/vinyl TLS out -> haproxy

Connect them up with Unix sockets, if you like.

[slink_vinyl]

because the topic keeps coming up, I now wrote the tutorial which we should have had years ago: https://vinyl-cache.org/tutorials/tls_haproxy.html

[time4tea]

Thanks for this. You dont mention hitch though. Is that now deprecated/discouraged?

It hasn't seen much action in a while, but maybe thats cos it works?

[perbu]

fwiw; Varnish Software still maintains and supports hitch, but we can't say we see a bright future for it. Both the ergonomics and the performance of not being integrated into Varnish are pretty bad. It was the crutch we leaned as it was the best thing we could make available.

I would recommend migrating off within a year or two.

[slink_vinyl]

haproxy supports both the offload (client) and onload (backend) use case. This is the main reason for why I personally prefer it. I can not comment on how well hitch works in comparison, because I have not used it for years.

[perbu]

in my experience this has a lot more moving parts than it should.

[lofaszvanitt]

Terminate tls and you have your cache.