varnish 2.15 - possible security exploit?

Caunter, Stefan scaunter at
Tue Feb 22 19:03:35 CET 2011

>In message
<AANLkTimzDZXpY=OXb-g3uVj=FurbWpjHweJzLChqrBLg at>, Mike
 Franon writes:
>>I was curious does anyone know of any serious security exploits that
>>can use varnish as an open proxy?

>Only if they can reload the Varnish VCL somehow.  Varnish has the
>backends hardcoded in VCL.

>>The reason why I am thinking that some sort of exploit might be going
>>on is, looking at the varnish logs I was seeing some url's for domains
>>we do not even own.

>And what does the log says happen to them ?

>You can probably do something like:

>	if ( !~ "<regexp matching your domains") {
>		error(755);	/* No need to be civilized here */
>	}

>To prevent them from reaching your backend.

Sure, but maybe we have a non-host specific config for a farm, where if
DNS sends you to varnish, it doesn't check the host header, it just
selects a backend. A regexp matching many domains is avoided in this

Lets you put varnish in front of many sites without a lot of fuss.

If there's an invalid host, we can simply cache the "don't got" page.

Potential for DoS attack, but hardly specific to varnish.


More information about the varnish-misc mailing list