How to setup Security.vcl on Varnish 3.0
# cd vcl/
# cp -a vcl/ /etc/varnish/security.vcl/
(alternatively you could symlink it, of course).
Now all it has to be done is edit your normal VCL and
add this line near the top:
On varnish 3.0 I had two erros when using the security.vcl from out of the box It complained about a regex on content-type.vcl
So I just comment that line, another error on main.vcl was on the line:
set obj.http.X-SEC-RuleMod = req.http.X-SEC-Module “-” req.http.X-SEC-RuleId;
Witch I commented out and set those two bellow:
set obj.http.X-SEC-RuleId = req.http.X-SEC-RuleId;
set obj.http.X-SEC-Rule = req.http.X-SEC-Module;
# service varnish restart
I suggest doing some pen-test using nikto and check what is happening using the varnishlog command.