Search
Varnish WAF
Introduction Installation Getting Started API ModSecurity OWASP CRS Advanced Configuration ChangeLog

Getting Started

Configuration

Enabling Varnish WAF is as simple as adding one include statement at the top of a VCL, and setting the configuration files for ModSecurity and the OWASP CRS. To modify ModSecurity’s default settings edit /etc/varnish/modsec/modsecurity.conf. The CRS’ configuration can also be edited in /etc/varnish/modsec/owasp-crs-{VERSION_NUMBER}/crs-setup.conf.

vcl 4.1;

include "waf.vcl";

sub vcl_init {
	varnish_waf.add_files("/etc/varnish/modsec/modsecurity.conf");
	varnish_waf.add_files("/etc/varnish/modsec/owasp-crs-{VERSION_NUMBER}/crs-setup.conf");
	varnish_waf.add_files("/etc/varnish/modsec/owasp-crs-{VERSION_NUMBER}/rules/*.conf");
}

When using Varnish WAF a comfortable stack size in the varnishd command line should be set:

ExecStart=varnishd ... -p thread_pool_stack=96k

Custom, Proprietary or Remote Rules

Varnish WAF is compatible with any ModSecurity Rule Language rule sets. These can be added locally or remotely.

WAF Installation Test

To test that the Varnish WAF is installed correctly you can run the following included VTC, /etc/varnish/modsec/waf.vtc. This VTC makes a few requests and uses a simple rule set that blocks all requests with a URL starting with /foo, returning a response code of 678.

The VTC can be run with:

varnishtest /etc/varnish/modsec/waf.vtc

The first two requests in the VTC do not contain foo and therefore will have a response code of 200. While the last three requests contain foo in some part of the URL and will have a response code of 678.

Logged Information

The Varnish WAF has a VSL tag, WAF, that will output information that the WAF did on each request. The below command will output the information Varnish WAF is logging for each request.

varnishlog -g request -i WAF

Basic Usage and Practices

ModSecurity is a vast toolbox capable of many things, but so is Varnish. It is best practice to use Varnish in certain cases, for example, throttling or geolocation restriction. ModSecurity is fast and efficient, but the fewer rules that need to be parsed and acted upon, the faster a request will be. In the case like those listed above or issuing static content, using Varnish will allow you to skip ModSecurity all together getting the most performance with the same level of security.

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
News
Varnish Controller 6.6.3
Varnish Enterprise 6.0.13r10
Varnish Controller 6.6.2
Varnish Controller 6.6.1
Varnish Enterprise 6.0.13r9
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203