varnish 2.15 - possible security exploit?
Poul-Henning Kamp
phk at phk.freebsd.dk
Tue Feb 22 15:46:45 CET 2011
In message <AANLkTimzDZXpY=OXb-g3uVj=FurbWpjHweJzLChqrBLg at mail.gmail.com>, Mike
Franon writes:
>HI,
>
>I was curious does anyone know of any serious security exploits that
>can use varnish as an open proxy?
Only if they can reload the Varnish VCL somehow. Varnish has the
backends hardcoded in VCL.
>The reason why I am thinking that some sort of exploit might be going
>on is, looking at the varnish logs I was seeing some url's for domains
>we do not even own.
And what does the log says happen to them ?
You can probably do something like:
if (req.http.host !~ "<regexp matching your domains") {
error(755); /* No need to be civilized here */
}
To prevent them from reaching your backend.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-misc
mailing list