Varnish security.vcl

How to setup Security.vcl on Varnish 3.0

Download it
wget https://github.com/KristianLyng/varnish/tree/my2.1/varnish-tools/security.vcl
# cd vcl/
# make
# cp -a vcl/ /etc/varnish/security.vcl/
(alternatively you could symlink it, of course).
Now all it has to be done is edit your normal VCL and
add this line near the top:
include “/etc/varnish/security.vcl/main.vcl”;

On varnish 3.0 I had two erros when using the security.vcl from out of the box It complained about a regex on content-type.vcl
So I just comment that line, another error on main.vcl was on the line:
set obj.http.X-SEC-RuleMod = req.http.X-SEC-Module “-” req.http.X-SEC-RuleId;
—————————-##————
Witch I commented out and set those two bellow:

set obj.http.X-SEC-RuleId = req.http.X-SEC-RuleId;
set obj.http.X-SEC-Rule = req.http.X-SEC-Module;

# service varnish restart

I suggest doing some pen-test using nikto and check what is happening using the varnishlog command.

3 Thoughts

  1. Hi,

    Do you think this VCL can replace apache+mod_security on the front (internet) side ?
    One great thing with mod_security is the ability to scan uploaded files with an antivirus like clamd… Anything comparable in sight ?

    Are you using this VCL on production ?
    Do you have any other security layer before your web servers ?

    Regard

  2. Thanks to Felip to share this. And speaking about security I don’t like solutions like mod_security because increase the volume of work that our webserver has to do and under my knowledge the webserver has only one job: serv. It’s recommended to put some firewall solution (IDS) and leave untouch your webserver. Ey, just and opinion! 🙂

    I’m going to test security.vcl just now, thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

VAMOVE *

*