Varnish is the rock solid reverse proxy. It’s a web accelerator that serves your web pages as static content instead of serving PHP pages. Varnish also has a firewall component thanks to some vmods which have been integrated by comotion to provide a Web Application Firewall to protect your WordPress site or any other web site. A variety of attacks can be prevented like XSS, SQL injection, terminal command execution and other security vulnerabilities.
Varnish analyzes http packets very quickly so there is very little overhead on my Digital Ocean 512 MB VPS which this web site runs on. Even though Varnish 3 is end of life, many users may not have migrated to Varnish 4 or 4.1. I have run tests with Varnish 4 and 4.1 and a guide is prepared for that when the tests are complete. This WordPress Varnish Cache 3 firewall guide assumes you are using a Debian or Ubuntu system but the technique will work on any distro.
The Varnish 3 firewall integrates a lot of rules from the popular modsecurity web application firewall. You will see how to integrate the Varnish firewall rules into your VCL so you can configure the protection for your WordPress or other site. WordPress has a ridiculous market share so it is a prime target for attackers, protecting it is critical.
Attention: this should be tested thoroughly on a development environment
It is highly recommended to use a plugin to remove query strings from css and js files like Zend Speed Query
Install WordPress Varnish Cache 3 Firewall
I will assume you already have Varnish 3 installed and configured using this guide, in which case you only need to add the source repository if you don’t already have it and update the repository cache
echo "deb-src https://repo.varnish-cache.org/debian/ wheezy varnish-3.0" >> /etc/apt/sources.list.d/varnish-cache.list sudo apt-get update
Prepare the Varnish 3 source for building the firewall vmods
cd ~ sudo apt-get build-dep varnish -y sudo apt-get source varnish -y cd varnish-3.0.7 ./configure --prefix=/usr && sudo make -j4
Check your Varnish cache version
If it says anything other than varnish-3.0.7 execute the next 4 lines
The next 4 lines are for 32-bit only, this is because Varnish decided to stop compiling packages for 32-bit systems with the last version being 3.0.2, however when you build from source for the vmods you will get the final Varnish 3 version 3.0.7.
make install sudo cp ~/varnish-3.0.7/bin/varnishstat/varnishstat /usr/bin/varnishstat sudo cp ~/varnish-3.0.7/bin/varnishlog/varnishlog /usr/bin/varnishlog sudo cp ~/varnish-3.0.7/bin/varnishadm/varnishadm /usr/bin/varnishadm
Build Varnish 3 Firewall vmods
Install other dependencies for Varnish 3 vmod building, then loop through building the Varnish 3 vmods and installing them
sudo apt-get install dpkg-dev pkg-config build-essential git autotools-dev automake libtool -y cd ~ git clone -b 3.0 https://github.com/comotion/VSF --recursive cd VSF for mod in parsereq urlcode shield throttle; do cd libvmod-$mod ./autogen.sh ./configure VARNISHSRC=~/varnish-3.0.7 VMODDIR=/usr/lib/varnish/vmods make -j4 make install cd - done
Create the Varnish security directory and copy the firewall vcl files there
mkdir -p /etc/varnish/security cp -r ~/VSF/vcl/* /etc/varnish/security/
Configure Varnish 3 Firewall
In Varnish default.vcl add this line immediately after your
sub vcl_rcv section’s last curly bracket. If you want added security you can add the include line before sub vcl_recv begins but you may get some false positives.
} # sub vcl_recv ends include "/etc/varnish/security/vsf.vcl";
Test your Varnish firewall configuration will load
varnishd -C -f /etc/varnish/default.vcl
If you see any errors you will need to fix them, I had to uncomment throttle and shield because the vsf.vcl already includes them for DDoS protection.
#import throttle; #import shield;
Test your configuration again and if it succeeds reload Varnish to enable the web application firewall
sudo service varnish reload
Testing Varnish 3 Firewall
You should monitor any requests that may be caught as false positives by using varnishlog
varnishlog -c -m VCL_Log:
You are welcome to test out different XSS and SQL injection attacks now
You can test a WordPress SQL injection attack like this and see that Varnish firewall prevents it
HTPC’ OR 1=1 OR ‘Guides
Here is a simple XSS WordPress attack, replace my homepage URL with your own
http://www.htpcguides.com/<script>alert('HTPC Guides Varnish Firewall Example')</script>
You should find that both attacks result in this error message demonstrating the Varnish firewall is working to protect WordPress.