How to setup Security.vcl on Varnish 3.0
Download it
wget https://github.com/KristianLyng/varnish/tree/my2.1/varnish-tools/security.vcl
# cd vcl/
# make
# cp -a vcl/ /etc/varnish/security.vcl/
(alternatively you could symlink it, of course).
Now all it has to be done is edit your normal VCL and
add this line near the top:
include “/etc/varnish/security.vcl/main.vcl”;
On varnish 3.0 I had two erros when using the security.vcl from out of the box It complained about a regex on content-type.vcl
So I just comment that line, another error on main.vcl was on the line:
set obj.http.X-SEC-RuleMod = req.http.X-SEC-Module “-” req.http.X-SEC-RuleId;
—————————-##————
Witch I commented out and set those two bellow:
set obj.http.X-SEC-RuleId = req.http.X-SEC-RuleId;
set obj.http.X-SEC-Rule = req.http.X-SEC-Module;
# service varnish restart
I suggest doing some pen-test using nikto and check what is happening using the varnishlog command.
System Administrator
Hey Felipe,
You should probably try Kacper’s adaptation of Sec.VCL to Varnish Cache 3.0. Send an issue on GitHub if you find something:
https://github.com/comotion/security.vcl
Good luck and have fun! 🙂
Hi,
Do you think this VCL can replace apache+mod_security on the front (internet) side ?
One great thing with mod_security is the ability to scan uploaded files with an antivirus like clamd… Anything comparable in sight ?
Are you using this VCL on production ?
Do you have any other security layer before your web servers ?
Regard
Thanks to Felip to share this. And speaking about security I don’t like solutions like mod_security because increase the volume of work that our webserver has to do and under my knowledge the webserver has only one job: serv. It’s recommended to put some firewall solution (IDS) and leave untouch your webserver. Ey, just and opinion! 🙂
I’m going to test security.vcl just now, thanks