From Bibliotheca Anonoma

The Varnish implementation will still require Nginx, even if Nginx is already being used as the MediaWiki server, since only Nginx can process SSL.

See this for installation instructions and Cloudflare varnish config:

See this for actual Varnish 4.0 config with Mediawiki:

Notice that if you're using SSL, Varnish isn't able to process SSL encrypted data. However, Nginx can function both as the PHP-FPM backend of varnish and an SSL decrypting frontend to varnish.

Setting up Nginx+PHP-FPM to work as a Vagrant Backend[edit]

It's pretty simple, just comment out listen 80; and listen 443; (we'll restore SSL support in the next step) and replace it with listen;.

server {
    #listen 80;
    #listen 443;
    listen; # tells Nginx to listen for traffic passed by Varnish
# and etc.

SSL Redirect with Nginx[edit]

Varnish doesn't support SSL unfortunately, but you can still use SSL with it. Just put Nginx as the front proxy for all SSL connections, so Nginx decrypts it.

This works even if the backend behind Varnish: is Nginx.

Warning: Make sure that the Varnish server is on the same machine or same Local Area Network, since whatever is going over this port is unencrypted.
server {
        listen 443 ssl default;

        ssl_certificate /etc/ssl/certs/mycert.crt;
        ssl_certificate_key /etc/ssl/private/mykey.key;

        location / {
            # Pass the request on to Varnish.

            # Pass some headers to the downstream server, so it can identify the host.
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # Tell any web apps like Drupal that the session is HTTPS.
            proxy_set_header X-Forwarded-Proto https;

            proxy_redirect     off;

Redirecting non wiki domains through to the same server[edit]

Alright, so Varnish and Nginx are running on the same server, but now Varnish has monopolized the HTTP 80 port, and Nginx is left only with the SSL port. What do we do now?

Well, it's simple. Have Varnish enforce the use of SSL on certain domains. Unfortunately, each domain has to be manually set like this. maybe there is a better way with a wildcard?