Varnish WAF

Advanced Configuration

Behind the Scenes of waf.vcl

Varnish WAF works on the backend side Varnish. Anytime that Varnish makes a request to a Backend (misses or passes), it is scanned by Varnish WAF. waf.vcl handles all aspects of the ModSecurity work flow, but there are still something that can be edited in the VCL.

waf.vcl will cache the first MB of the request body. See the API for how to increase the cached request body size.

Another option is to set the client IP and port number. This is set in the main VCL (the one that includes waf.vcl) in vcl_recv with the request headers req.http.waf-client-ip and req.http.waf-client-port. This defaults to one of two options, if there is a X-Forward-For header, the first IP is taken (with a port of 0), otherwise it will take client.ip and std.port(client.ip). Additionally any request can skip ModSecurity all together by setting the request header, req.http.waf-skip, to "true". For more information about editing these options see the API.

Editing waf.vcl

To seamlessly edit and maintain a waf.vcl while still being able to update the varnish-plus-waf package, a copy of the VCL with a different name must be made. Now edits can safely be made to /etc/varnish/waf_edit.vcl.

cp /usr/share/varnish-plus/vcl/waf.vcl /etc/varnish/waf_edit.vcl

Update Static Content Type to Skip

By default, all response bodies with a Content-Type of audio, image, or video will be skipped as scanning static content, like these three types, will waste resources. If this should be changed or other configurations are needed. To add or remove this list, make a copy of the VCL like above, then update "audio|image|video" in sub vcl_backend_response. This is a pipe (regex or) delimited list.