I have recently needed to run varnish (A very fast web cache for busy sites) in a situation that also required use of HTTPS on the box. Unfortunately, Varnish does not not handle crypto, which is probably a good thing given how easy it is for programmers to make mistakes in their code, rendering the security useless!

Whilst recipes for Stunnel and Varnish together exist, information on running them on the same box whilst still presenting the original source IP to varnish for logging/load balancing purposes was scarce – the below configuration “worked for me”, at least on Debian 7.0. (Wheezy) You will need the xt_mark module which should be part of most distributions, but I found was missing from some hosted boxes and VMs with custom kernels.

IPTables – mark traffic from source port 8088 for routing
iptables -t mangle -A OUTPUT -p tcp -m multiport --sports 8088 -j MARK --set-xmark 0x1/0xffffffff

Routing configuration – anything marked by IPTables, send back to the local box. These two can be added under iface lo as “post-up” commands if you’re on a Debian box.
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

STunnel configuration. The connect IP MUST be an IP on the box other than loopback, i.e. it will not work if you specify 127.0.0.1.

[https]
accept = 443
connect = 10.1.1.1:8088
transparent = source

From default.vcl:
import std;

sub vcl_recv {
// Set header variables in a sensible way.
remove req.http.X-Forwarded-Proto;

if (server.port == 8088) {
set req.http.X-Forwarded-Proto = "https";
} else {
set req.http.X-Forwarded-Proto = "http";
}

set req.http.X-Forwarded-For = client.ip;
std.collect(req.http.X-Forwarded-For);
}

sub vcl_hash {
// SSL data returned may be different from non-SSL.
// (E.g. including https:// in URLs)
hash_data(server.port);
}

I have recently switched from using dircproxy as an IRC bouncer to ZNC and it is turning out to be a better piece of software. (Not least of which is decent SSL support and a handy web interface that allows easy reconfiguration) However, it suffers from the same problem as many other bouncers – it doesn’t log Private Messages when you’re online. This is annoying because I may have left some machine somewhere connected that I might not return to for a day or two, or I might be on a mobile device that’s prone to losing it’s connection due to train tunnels etc. (Which results in ZNC thinking the device is still connected until it times out and messages are lost completely)

So, for anyone who uses ZNC who finds this similarly problematic, you can download a copy of the logging module I’ve worked on here. It compiles cleanly against the Debian version of ZNC 0.202 cleanly using just “znc-buildmod pmlog.cpp”, and you can install it simply by coping the resulting pmlog.so file to ~/.znc/modules and enabling it from the web interface.

There are no configuration options yet so it’s rather rough and basic and should be regarded as Beta-quality code at best, but time permitting I should add more soon. When you connect, it will simply play back inbound/outbound private messages sent since you loaded the module.