[master] 1be3f1a add two params for -r consideration - and a bit for reformatting
perbu at varnish-software.com
Thu Feb 6 14:33:11 CET 2014
Author: Per Buer <perbu at varnish-software.com>
Date: Thu Feb 6 14:19:53 2014 +0100
add two params for -r consideration - and a bit for reformatting
diff --git a/doc/sphinx/users-guide/run_security.rst b/doc/sphinx/users-guide/run_security.rst
index a2557a2..fb4b4d4 100644
@@ -31,13 +31,13 @@ line, in order to make them invulnerable to subsequent manipulation.
The important decisions to make are:
-#. Who should have access to the Command Line Interface ?
+#. Who should have access to the Command Line Interface?
-#. Which parameters can they change ?
+#. Which parameters can they change?
-#. Will inline-C code be allowed ?
+#. Will inline-C code be allowed?
-#. If/how VMODs will be restricted ?
+#. If/how VMODs will be restricted?
CLI interface access
@@ -89,7 +89,7 @@ command on stdin/stdout, but since you started the process, it
would be hard to prevent you getting CLI access, wouldn't it ?
CLI interface authentication
By default the CLI interface is protected with a simple, yet
strong "Pre Shared Key" authentication method, which do not provide
@@ -150,6 +150,9 @@ HTTP service, but a few can do more damage than that:
Execute arbitrary programs
+ Allow inline C in VCL, which would any C code from VCL to be executed by Varnish.
Furthermore you may want to look at and lock down:
@@ -158,6 +161,11 @@ Furthermore you may want to look at and lock down:
Retrict VCL/VMODS to :ref:`ref_param_vcl_dir` and :ref:`ref_param_vmod_dir`
+ The directory where Varnish will will look
+ for modules. This could potentially be used to load rouge
+ modules into Varnish.
The CLI interface
More information about the varnish-commit