Security.VCL

Kristian Lyngstol kristian at redpill-linpro.com
Fri Aug 14 13:05:03 CEST 2009


I just committed /varnish-tools/security.vcl, which is an early version of
a pet project Edward Bjarte Fjellskål, Kacper Wysocki and myself have been
working at.

The idea is to add basic filtering of common exploits in VCL, but with
minimal impact on normal VCL. This early version has a few ugly details
(like hard coded paths), and some of the rules, specially in vcl/breach/,
are likely to be downright wrong.

The work is loosely based on mod_security (breach/ is automatically
generated based on mod_security), but we've added several of our own rules
too. The major drawbacks right now is that we can't parse POST-data, and
that Varnish uses POSIX regex while mod_security use Perl regex.

If you're curious about Security.VCL, I suggest you take a look at the
README and the vcl/main.vcl.

We'll continue to work on this sporadically, but patches are welcome.

-- 
Kristian Lyngstøl
Redpill Linpro AS
Tlf: +47 21544179
Mob: +47 99014497
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20090814/660b4ab3/attachment-0003.pgp>


More information about the varnish-misc mailing list