Varnish WAF

API

Varnish WAF works on the backend side Varnish. Anytime that Varnish makes a request to a backend (misses or passes), it is scanned by Varnish WAF. The API for Varnish WAF is to be used in the vcl that includes waf.vcl. The API is as follows:

Functions

All functions are prefixed with varnish_waf, except for version() which is prefixed just by waf.

VOID .add_files(STRING path)

  • Description

    Add a configuration file containing the list of rule sets. This is called in vcl_init.

  • Return Value

    None.

    • path

      Path to the configuration file. This can be a glob.

VOID .add_file_remote(STRING url, STRING key)

  • Description

    Add a configuration file from a remote server. This is called in vcl_init.

  • Return Value

    None.

    • url

      URL to the rule set.

    • key

      The key passed to the server stored in the header ModSec-key. Defaults to an empty string.

STRING version()

  • Description

    Return the value of the Varnish WAF and ModSecurity

  • Return Value

    A string containing the version for Varnish WAF and ModSecurity in the format of WAF.VERSION_.MODSECURITY.VERSION.

Headers

Varnish WAF makes use of headers to store certain information to allow the user configuration options. All of the headers should be set in vcl_recv.

waf-skip

  • Description

    Should ModSecurity be skipped for this request?

  • Possible Values

    If set to true, the entire request not be parsed by ModSecurity. If set to request, the request body and headers will not be parsed while the response body and headers will be parsed. If set to response, the request body and headers will be parsed while the response body and headers will not be parsed.

  • Default Value

    Undefined.

waf-client-ip

  • Description

    Store the IP address of the client.

  • Possible Values

    The IP address of the client.

  • Default Value

    If the X-Forward-For header is present, the first IP address is used. Otherwise, the IP is set to client.ip.

waf-client-port

  • Description

    Hold the port number of the client.

  • Possible Values

    The port number of the client.

  • Default Value

    If the X-Forward-For header is present, the header is set to 0. Otherwise, the port is set to std.port(client.ip).

Options

Options are set using the waf_opts object.

cache_req_body_bytes

  • Description

    A string of the maximum size of the request body to cache. This is set in vcl_init.

  • Possible Values

    The format is a number proceed by a unit like B, MB, KB, …, etc. (i.e 5MB).

  • Default Value

    1MB.

  • Example

        sub vcl_init {
            waf_opts.set("cache_req_body_bytes", "5MB");
        }