Scenario: you have a Drupal site behind a proxy such as HAproxy, sending traffic to a Varnish backend (which in turn sends to the Nginx or Apache backend).

You want to serve cached pages from Varnish for both HTTP and HTTPS. Perhaps you've tried this and you found that behind HTTPS, your site had no CSS or JS. This is because it's serving a page object that was cached as HTTP, or it's not caching at all, but Drupal is serving the markup with http:// links and your browser won't allow that to be displayed under https:// .

In any case, it is a bonus to be able to serve cached objects with https:// markup, from Varnish, even though Varnish itself doesn't understand HTTPS.

You need to make three changes: one in HAproxy config, one in the Varnish VCL, and finally one in Drupal (settings.php). Here they are:

HAproxy config change

Set the X-Forwarded-Proto header in the 'frontend' definition of your HTTPS service:

You can define the same for your HTTP frontend service, but obviously the value of X-Forwarded-Proto will be 'http' instead of 'https'.

In this model, your frontend can send traffic to the same backend (Varnish) for both HTTP and HTTPS.

Varnish VCL change

Ensure we maintain two separate 'caches' - one for HTTP data and one for HTTPS data. That way, we can cache the HTTPS objects that contain https:// URL markup, and not for the plaintext HTTP. This is based on the X-Forwarded-Proto header being set in the HAproxy config, above.

Drupal settings.php change

We need to force-declare $_SERVER['https'] to be 'on', at the Drupal layer, if the X-Forwarded-Proto header was set to 'https'.

This is the change that makes Drupal apply https:// style URLs to the mark-up in the page response. Without this setting, you get a CSS/JS-less page in your browser when viewing the site under HTTPS.