Home > HowTo, Linux, Varnish > Varnish security.vcl

Varnish security.vcl

How to setup Security.vcl on Varnish 3.0

Download it
wget https://github.com/KristianLyng/varnish/tree/my2.1/varnish-tools/security.vcl
# cd vcl/
# make
# cp -a vcl/ /etc/varnish/security.vcl/
(alternatively you could symlink it, of course).
Now all it has to be done is edit your normal VCL and
add this line near the top:
include “/etc/varnish/security.vcl/main.vcl”;

On varnish 3.0 I had two erros when using the security.vcl from out of the box It complained about a regex on content-type.vcl
So I just comment that line, another error on main.vcl was on the line:
set obj.http.X-SEC-RuleMod = req.http.X-SEC-Module “-” req.http.X-SEC-RuleId;
—————————-##————
Witch I commented out and set those two bellow:

set obj.http.X-SEC-RuleId = req.http.X-SEC-RuleId;
set obj.http.X-SEC-Rule = req.http.X-SEC-Module;

# service varnish restart

I suggest doing some pen-test using nikto and check what is happening using the varnishlog command.

  1. August 4th, 2011 at 12:17 | #1

    Hey Felipe,

    You should probably try Kacper’s adaptation of Sec.VCL to Varnish Cache 3.0. Send an issue on GitHub if you find something:

    https://github.com/comotion/security.vcl

    Good luck and have fun! 🙂

  2. August 30th, 2011 at 17:14 | #2

    Hi,

    Do you think this VCL can replace apache+mod_security on the front (internet) side ?
    One great thing with mod_security is the ability to scan uploaded files with an antivirus like clamd… Anything comparable in sight ?

    Are you using this VCL on production ?
    Do you have any other security layer before your web servers ?

    Regard

  3. March 26th, 2012 at 15:03 | #3

    Thanks to Felip to share this. And speaking about security I don’t like solutions like mod_security because increase the volume of work that our webserver has to do and under my knowledge the webserver has only one job: serv. It’s recommended to put some firewall solution (IDS) and leave untouch your webserver. Ey, just and opinion! 🙂

    I’m going to test security.vcl just now, thanks

  1. No trackbacks yet.

VAMOVE *

*