This blog explains how to Configure Varnish on Magento 2 with Nginx as an SSL termination layer.
The setup uses a clean separation between SSL handling, caching, and Magento execution.
When you run a Magento 2 store with Varnish Cache for full-page caching, and serve via Nginx as your web server, you need to chain them appropriately. The typical architecture is:
Client → (HTTP/HTTPS) → Nginx (SSL termination or plain HTTP) → Varnish (port 80) → Nginx + PHP-FPM (backend, e.g. port 8080) → Magento 2
Below are the steps to set this up:
1. Install and start Varnish
Install Varnish on your server. e.g. on Ubuntu:
sudo apt update sudo apt install varnish -y
Enable and start the Varnish service:
sudo systemctl enable varnish sudo systemctl start varnish
Confirm installation, e.g.:
varnishd -V
Once installed, Varnish is ready.
2. Configure Nginx to work with Varnish + Magento
Since Varnish will listen on port 80 (handling public incoming HTTP), you must move Nginx to listen on a different port (e.g. 8080).
Nginx Configuration Strategy
This setup uses two Nginx configuration files.
Each file handles a clearly defined responsibility.
Why two configs work better
- Clean separation of concerns
- Safer backend isolation
- Easier troubleshooting
Frontend Nginx Configuration (SSL Termination)
The magento_site.conf file manages public traffic. It terminates SSL and forwards all requests to Varnish. It also protects Magento from direct access. Only Varnish receives proxied traffic.
/etc/nginx/conf.d/magento_site.conf
# HTTP to HTTPS redirect
server {
listen 8090;
server_name mywebiste.webkul.in;
return 301 https://$host:8443$request_uri;
}
# Main HTTPS server block
server {
listen 8443 ssl; http2 on; # Listen on port 443 with SSL and HTTP/2
server_name mywebiste.webkul.in; # Replace with your domain name
# SSL certificate paths
ssl_certificate /etc/letsencrypt/live/webkul.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/webkul.in/privkey.pem;
# Recommended SSL settings (adjust as needed)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
#ssl_stapling off;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
# >>> Add these lines here to fix the 502 Bad Gateway error: <<<
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 0;
# This single location block handles everything and sends it to Varnish:
location / {
# Pass ALL requests to Varnish (listening on port 80)
proxy_pass http://127.0.0.1:80;
# Pass necessary headers so Varnish/Magento know about the original HTTPS request
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Indicates the original protocol was HTTPS
proxy_set_header X-Forwarded-Port 8443;
}
# Security headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-PHP-FPM "Handled by FastCGI";
}
Backend Nginx Configuration (Magento Internal Server)
The magento_backend.conf file serves Magento internally and only varnish can access this server. It keeps the PHP-FPM isolated.
/etc/nginx/conf.d/magento_backend.conf
upstream fastcgi_backend {
server unix:/run/php/php8.3-fpm.sock;
}
server {
listen 8080; # INTERNAL PORT: Only listens for requests from Varnish/localhost
server_name mywebiste.webkul.in;
# Set Magento's root directory for includes
set $MAGE_ROOT /home/users/webkul.user/www/html/nginx-magento;
# Include Magento's default Nginx configuration file
include /home/users/webkul.user/www/html/nginx-magento/nginx.conf.sample;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# !! IMPORTANT FOR VARNISH SETUP !!
# Tell Magento the original request was secure, even though Varnish sends it over HTTP
fastcgi_param HTTPS on;
fastcgi_read_timeout 300;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
}
}
3. Configure Varnish to forward to Nginx backend
Now point Varnish’s backend to Nginx (on port 8080):
1. Export the default VCL for Magento 2 from the Magento Admin:
- In Admin, go to Stores → Configuration → Advanced → System → Full Page Cache.
- Set Caching Application to Varnish Cache.
- Expand Varnish Configuration, set backend host (commonly
127.0.0.1) and backend port (e.g.8080). - Click Export VCL (choose version matching your Varnish) — Magento will download a file (e.g.
varnish.vcl).
2. Place that .vcl in Varnish config directory:
sudo cp /path/to/downloaded/varnish.vcl /etc/varnish/default.vcl
3. In default.vcl, ensure the backend block points to Nginx backend:
backend default {
.host = "127.0.0.1";
.port = "8080";
}
4. Update the Varnish VCL for GraphQL Caching:
Modify sub vcl_recv Block
# Enable caching for public GraphQL GET requests
if (req.method == "GET" && req.url ~ "^/graphql") {
unset req.http.Cookie;
}
This ensures GraphQL GET requests are cacheable by removing cookies:
Comment Out the Default Magento Bypass Logic
# Disabled to allow GraphQL caching for public requests
# if (req.url ~ "/graphql" && !req.http.X-Magento-Cache-Id && req.http.Authorization ~ "^Bearer") {
# return (pass);
# }
5. Restart Varnish After Changes:
sudo systemctl restart varnish
6. Restart Nginx After All the Changes:
sudo systemctl restart nginx
4. Conclusion
This guide demonstrated how to Configure Varnish in Magento 2 using Nginx as SSL termination.
The setup follows a clean and secure production architecture.
Nginx handles HTTPS efficiently. Varnish delivers fast cached responses. Magento remains isolated and stable under load. This configuration aligns with enterprise Magento best practices.
Looking to improve your store’s speed and overall performance? Check out our Magento 2 Speed & Optimization services.
For expert guidance or custom feature development, you may hire our Magento 2 developers to support your project.
Be the first to comment.