Apache Varnish ssl

You want to use apache with varnish and ssl. Let´s start.

First install Varnish 6

Please Look here for install Varnish on Ubuntu/Debian


replace trusty with bionic

root@remote:~# cat /etc/apt/sources.list.d/varnishcache_varnish60.list
deb https://packagecloud.io/varnishcache/varnish60/ubuntu/ bionic main
deb-src https://packagecloud.io/varnishcache/varnish60/ubuntu/ bionic main


Install Varnish 6

apt-get install varnish

2018-10-05 09_39_15-root@remote - byobu



start and enable Varnish as service

sudo systemctl start varnish.service

sudo systemctl enable varnish.service

2018-10-05 09_40_55-root@remote - byobu

Attention look here for more information about Varnish and Systemd


Next Step we configure Varnish


systemctl edit varnish.service


Insert following, feel free do adjust your memory settings

ExecStart=/usr/sbin/varnishd -a :6081 -f /etc/varnish/default.vcl -s malloc,256m -p first_byte_timeout=600

2018-10-05 09_52_54-root@remote - byobu

we create a full replacement of varnish.service

systemctl edit --full varnish.service

Make your changes and save the file. After saving we reloading the systemd config

systemctl daemon-reload


You can also adjust /etc/varnish/default.vcl for Browser caching or anything else


That´s it for install and adjust Varnish

Install Apache with SSL

apt-get install apache2


We create a redirect from http to https

vim /etc/apache2/sites-available/redirect.conf


<Virtualhost vhost.example.com>
ServerName vhost.example.com
DocumentRoot /var/www/html
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


We create a new vhost file with rondtrip.conf, we running the static site with port 8080

vim /etc/apache2/sites-available/roundtrip.conf


<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


We create a new vhost file for ssl

vim /etc/apache2/sites-available/ssl.conf


<VirtualHost *:443>
DocumentRoot /var/www/
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/sslcert.key
SSLCertificateFile /etc/ssl/private/sslcert.crt
# SSLCertificateChainFile /eDigiCertCA.crt


we delete the default site, we don´t need it

rm /etc/apache2/sites-enabled/000-default.conf


We are enable the apache config

a2ensite redirect.conf
a2ensite ssl.conf
a2ensite roundtrip.conf

We are enable port 8080

vim /etc/apache2/ports.conf


Listen 8080

Enable some modules that we need

a2enmod proxy
a2enmod proxy_http
a2enmod headers

Check your Apache Config

apachectl configtest

Restart your Apache

systemctl restart apache


That´s it!

forcing oft mime type file to download

Apache is sometimes nice and sometimes ugly. Show me the ugly Apache 🙂

I have a webserver with Apache and some files doc, pdf and “oft” outlook template file.
Internet Explorer open “oft” directly without prompting and show the source code of the file.

add to your apache2.conf file following

AddType application/octet-stream .oft oft

Check your apache conf file that is allowed to use htaccess file

Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all

we need two mods, rewrite and headers, very often rewrite is enable, headers not so often. When you not have enable headers you will get a 500 server error from Apache.

enable headers with

a2enmod headers

apachectl restart


place your .htaccess file in your www data folder /var/www/

You need following content, this works with all other extension that you will be force to download

<FilesMatch “\.(.oft|OFT)$”>
ForceType application/octet-stream
Header set Content-Disposition attachment


That´s it