Varnish WAF


Varnish WAF is currently available on RedHat Enterprise Linux 7 and CentOS 7. Access to Varnish Plus is required. Please get in touch via for more information on Varnish Plus.

RedHat Enterprise Linux Installation

Varnish WAF is available through the varnish-plus-waf package.

sudo yum update
sudo yum install varnish-plus varnish-plus-waf

Installing the OWASP CRS

Varnish will need read and write access to all things ModSecurity and CRS related. A directory, /etc/varnish/modsec, can be created with varnish as the owner. Similarly any files that are used in Varnish WAF will need the same access level. There are three main files that need to be created: the audit log, the debug log and the main WAF configuration file.

sudo mkdir /etc/varnish/modsec
sudo chown varnish /etc/varnish/modsec
sudo -u varnish touch /etc/varnish/modsec/audit.log
sudo -u varnish touch /etc/varnish/modsec/debug.log
sudo -u varnish touch /etc/varnish/modsec/waf.conf

Now that the minimum set of needed files are created, the CRS and related files can be installed. The below instructions will install the set of rules, the CRS configuration file and the ModSecurity configuration file. It should be noted that the below instructions will make copies of some files. This is best practice to have a baseline to go back to if needed. The three files that are copied are: crs-setup.conf.example, modsecurity.conf.example and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example. These configuration files are used to update the settings for the CRS and ModSecurity, and set up a list of rules to exclude from the CRS (to avoid false positives).

# download CRS v3.0.2.tar.gz and name it owasp-crs
sudo -u varnish wget -O /etc/varnish/modsec/owasp.tar.gz
sudo -u varnish tar -xzf /etc/varnish/modsec/owasp.tar.gz
sudo mv /etc/varnish/modsec/owasp-modsecurity-crs-3.0.2 \

# stash copy of original crs-setup.conf for editing
sudo cp /etc/varnish/modsec/owasp-crs/crs-setup.conf.example \

# stash copy of original exclusions example for editing
sudo cp /etc/varnish/modsec/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example \

# download ModSecurity configuration file
sudo -u varnish wget -O \

# stash copy of original modsecurity.conf for editing
sudo cp /etc/varnish/modsec/modsecurity.conf.example \