Varnish WAF

Getting Started


Enabling Varnish WAF is as simple as adding one include statement at the top of a VCL, and setting the configuration files for ModSecurity and the OWASP CRS. To modify ModSecurity’s default settings edit /etc/varnish/modsec/modsecurity.conf. The CRS’ configuration can also be edited in /etc/varnish/modsec/owasp-crs-{VERSION_NUMBER}/crs-setup.conf.

vcl 4.1;

include "waf.vcl";

sub vcl_init {

When using Varnish WAF a comfortable stack size in the varnishd command line should be set:

ExecStart=varnishd ... -p thread_pool_stack=96k

Custom, Proprietary or Remote Rules

Varnish WAF is compatible with any ModSecurity Rule Language rule sets. These can be added locally or remotely.

WAF Installation Test

To test that the Varnish WAF is installed correctly you can run the following included VTC, /etc/varnish/modsec/waf.vtc. This VTC makes a few requests and uses a simple rule set that blocks all requests with a URL starting with /foo, returning a response code of 678.

The VTC can be run with:

varnishtest /etc/varnish/modsec/waf.vtc

The first two requests in the VTC do not contain foo and therefore will have a response code of 200. While the last three requests contain foo in some part of the URL and will have a response code of 678.

Logged Information

The Varnish WAF has a VSL tag, WAF, that will output information that the WAF did on each request. The below command will output the information Varnish WAF is logging for each request.

varnishlog -g request -i WAF

Basic Usage and Practices

ModSecurity is a vast toolbox capable of many things, but so is Varnish. It is best practice to use Varnish in certain cases, for example, throttling or geolocation restriction. ModSecurity is fast and efficient, but the fewer rules that need to be parsed and acted upon, the faster a request will be. In the case like those listed above or issuing static content, using Varnish will allow you to skip ModSecurity all together getting the most performance with the same level of security.