comotion/security.vcl

Stars
193
Rank 201,081 (Top 4 %)
Language VCL
License
GNU General Publi...
Created about 14 years ago
Updated about 5 years ago

comotion/security.vcl

comotion

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

protect your websites with varnish rules

Security.VCL

===================================
===================================
This project is  mostly deprecated. 
===================================
===================================

Please use the Varnish Security Firewall:
 - https://github.com/comotion/VSF


=================================
1. About Security.VCL
2. Basic usage
3. The Architecture
4. Handlers
=================================

This is work in progress just like any security app should be.
Use at your own discretion.

1. About Security.VCL
=====================

Security.VCL is a Web Application Firewall implemented in Varnish Control Language.

Security.VCL aims to provide:
 - A standardized framework for security-related filters
 - Several core rule-sets
 - A tool to generate Security.VCL modules from mod_security rules.
 - A limited set of default 'handlers', for instance CGI scripts to call
   upon when Bad Stuff happens.

This is done mainly by using clever VCL, and with as little impact on
normal operation as possible. The incident handlers are mainly CGI-like
scripts on a backend.

2. Basic usage
==============

To use Security.VCL, you currently have to:

Set up Varnish >= 3.0.x and then:

$ cd vcl/
$ make
$ cd ..
$ ln -s $PWD/vcl/ /etc/varnish/security/

then you edit your default.vcl and add this line near the top:

	include "/etc/varnish/security/main.vcl";

At this point, you should only need to reload your varnish configuration.

You may have to or want to modify config.vcl to fit your needs. 
Remember that paths must be hardcoded and absolute.


3. The Architecture
===================

Security.VCL currently have two categories of rules: rules generated from
mod_security, located in vcl/breach/ and our own rules, vcl/modules/.
Ready-to-use mod_security-Rules can be found here:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Home

Security.VCL works by including all modules, then defining a number of
standard functions. Each module will set X-SEC-Severity = "N", where N is the
severity, and call sec_handler which in turn typically calls error or some other handler.

4. Handlers
===========

The general concept is that security.VCL either throws an error 
(vcl_error) of some kind, which can return a redirect the client,
or do any other synthetic response, or Security.VCL can log, 
rewrite the original request and send it to a backend
designed to do more clever things, like:

- Block the client in a firewall
- Log the event
- Test-run the code.
- Paint you a pretty picture....
- ....

There are several handlers defined and you can set the default handler in handlers.vcl.
The default handler rejects detected malicious traffic.

Also you may write your own handler, see handlers.vcl

5. Known Issues
===============

Let us know! http://github.com/comotion/security.vcl/issues

VSF

Varnish Security Firewall

cpm

Console Password Manager

edd

Entropy DDoS Detection

gitson

Ultralite distributed DNS syndication.

gone

the zero-impact configuration system

redmine-version-slip

Plugin to notify about modifications in due dates by posting news.

radiostream

various scripts to stream radio

hangover

fcgi

FastCGI launcher scripts

ii

irc it, simple FIFO based irc client

mooncore

coreutils implemented in ljsyscall

marvin-gayebot

coolest bot in town

onscreen

a set of programs to display status info onscreen at various events

lowpower

Fire-once script to reduce system power usage to a minimum

isckill

tools to kill off ISC tools and programs once and for all

ioadam

This script allows you to control ADAM-6066 through the shell.

ucspi-tcp

djb's tcpserver and tcpclient