Varnish WAF works on the backend side Varnish.
Anytime that Varnish makes a request to a Backend (misses or passes), it is scanned by Varnish WAF.
waf.vcl handles all aspects of the ModSecurity work flow, but there are still
something that can be edited in the VCL.
waf.vcl will cache the first MB of the request body.
See the API for how to increase the cached request body size.
Another option is to set the client IP and port number.
This is set in the main VCL (the one that includes
waf.vcl) in vcl_recv with the request
This defaults to one of two options, if there is a
X-Forward-For header, the first IP is
taken (with a port of 0), otherwise it will take
Additionally any request can skip ModSecurity all together by setting the request header,
"true". For more information about editing these options see the
To seamlessly edit and maintain a
waf.vcl while still being able to update the
package, a copy of the VCL with a different name must be made. Now edits can safely be made to
cp /usr/share/varnish-plus/vcl/waf.vcl /etc/varnish/waf_edit.vcl
By default, all response bodies with a
will be skipped as scanning static content, like these three types, will waste resources.
If this should be changed or other configurations are needed. To add or remove this list,
make a copy of the VCL like above, then update
This is a pipe (regex or) delimited list.