Varnish WAF works on the backend side Varnish.
Anytime that Varnish makes a request to a Backend (misses or passes), it is scanned by Varnish WAF.
waf.vcl handles all aspects of the ModSecurity work flow, but there are still
something that can be edited in the VCL.
waf.vcl will cache the first MB of the request body.
See the API for how to increase the cached request body size.
Another option is to set the client IP and port number.
This is set in the main VCL (the one that includes
waf.vcl) in vcl_recv with the request
This defaults to one of two options, if there is a
X-Forward-For header, the first IP is
taken (with a port of 0), otherwise it will take
Additionally any request can skip ModSecurity all together by setting the request header,
"true". For more information about editing these options see the
To seamlessly edit and maintain a
waf.vcl while still being able to update the
package, a copy of the VCL with a different name must be made. Now edits can safely be made to
cp /usr/share/varnish-plus/vcl/waf.vcl /etc/varnish/waf_edit.vcl