How to setup Security.vcl on Varnish 3.0
Download it
# cd vcl/
# make
# cp -a vcl/ /etc/varnish/security.vcl/
(alternatively you could symlink it, of course).
Now all it has to be done is edit your normal VCL and
add this line near the top:
include “/etc/varnish/security.vcl/main.vcl”;
On varnish 3.0 I had two erros when using the security.vcl from out of the box It complained about a regex on content-type.vcl
So I just comment that line, another error on main.vcl was on the line:
set obj.http.X-SEC-RuleMod = req.http.X-SEC-Module “-” req.http.X-SEC-RuleId;
Witch I commented out and set those two bellow:
set obj.http.X-SEC-RuleId = req.http.X-SEC-RuleId;
set obj.http.X-SEC-Rule = req.http.X-SEC-Module;
# service varnish restart
I suggest doing some pen-test using nikto and check what is happening using the varnishlog command.

Tags: , , , , , , , , ,

3 thoughts on “Varnish security.vcl

  1. Hi,
    Do you think this VCL can replace apache+mod_security on the front (internet) side ?
    One great thing with mod_security is the ability to scan uploaded files with an antivirus like clamd… Anything comparable in sight ?
    Are you using this VCL on production ?
    Do you have any other security layer before your web servers ?

  2. Thanks to Felip to share this. And speaking about security I don’t like solutions like mod_security because increase the volume of work that our webserver has to do and under my knowledge the webserver has only one job: serv. It’s recommended to put some firewall solution (IDS) and leave untouch your webserver. Ey, just and opinion! 🙂
    I’m going to test security.vcl just now, thanks

Leave a Reply

Your email address will not be published. Required fields are marked *