varnish 2.15 - possible security exploit?

Caunter, Stefan scaunter at topscms.com
Tue Feb 22 19:03:35 CET 2011


>In message
<AANLkTimzDZXpY=OXb-g3uVj=FurbWpjHweJzLChqrBLg at mail.gmail.com>, Mike
 Franon writes:
>>I was curious does anyone know of any serious security exploits that
>>can use varnish as an open proxy?

>Only if they can reload the Varnish VCL somehow.  Varnish has the
>backends hardcoded in VCL.

>>The reason why I am thinking that some sort of exploit might be going
>>on is, looking at the varnish logs I was seeing some url's for domains
>>we do not even own.

>And what does the log says happen to them ?

>You can probably do something like:

>	if (req.http.host !~ "<regexp matching your domains") {
>		error(755);	/* No need to be civilized here */
>	}

>To prevent them from reaching your backend.


Sure, but maybe we have a non-host specific config for a farm, where if
DNS sends you to varnish, it doesn't check the host header, it just
selects a backend. A regexp matching many domains is avoided in this
case. 

Lets you put varnish in front of many sites without a lot of fuss.

If there's an invalid host, we can simply cache the "don't got" page.

Potential for DoS attack, but hardly specific to varnish.

SC



More information about the varnish-misc mailing list