Cache TLS termination
TLS in the caching cluster is terminated by nginx. It performs the following roles:
- TLS terminator
- HTTP/2 terminator
- Forward TLS & HTTP/2 metrics to varnish
TLS requirements for canonical domains and hence for the caching cluster are described here. Puppetization happens in profile::cache::ssl::unified and more specifically in tlsproxy::localssl. The usual TLS configuration parameters (ciphersuites enabled and their preference order, DH parameters and optionally HSTS) happens in the puppet function ssl_ciphersuite.
HSTS header injection is performed by our varnish frontend layer here and it looks like this:
strict-transport-security: max-age=106384710; includeSubDomains; preload
OCSP stapling is performed externally to nginx. So nginx just sends a prefetched OCSP stapling response that's obtained every 12 hours using the nginx configuration directive ssl_stapling_file and a custom patch to support dual-cert setups with prefetched OCSP stapling responses. A good post about why this is being done like this can be found in APNIC's blog.