Install + Configure WordPress Varnish Cache 3 Firewall

Varnish is the rock solid reverse proxy. It’s a web accelerator that serves your web pages as static content instead of serving PHP pages. Varnish also has a firewall component thanks to some vmods which have been integrated by comotion to provide a Web Application Firewall to protect your WordPress site or any other web site. A variety of attacks can be prevented like XSS, SQL injection, terminal command execution and other security vulnerabilities.

Varnish analyzes http packets very quickly so there is very little overhead on my Digital Ocean 512 MB VPS which this web site runs on. Even though Varnish 3 is end of life, many users may not have migrated to Varnish 4 or 4.1. I have run tests with Varnish 4 and 4.1 and a guide is prepared for that when the tests are complete. This WordPress Varnish Cache 3 firewall guide assumes you are using a Debian or Ubuntu system but the technique will work on any distro.

The Varnish 3 firewall integrates a lot of rules from the popular modsecurity web application firewall. You will see how to integrate the Varnish firewall rules into your VCL so you can configure the protection for your WordPress or other site. WordPress has a ridiculous market share so it is a prime target for attackers, protecting it is critical.

Attention: this should be tested thoroughly on a development environment

It is highly recommended to use a plugin to remove query strings from css and js files like Zend Speed Query

VPS Provider
Hard Drive
US, EU, Asia
768 MB
100 Mbps
$5 / month
Digital Ocean
US, EU, Asia
512 MB
100 Mbps
$5 / month
US, UK, China, Australia
768 MB
20 GB
1-10 Gbps
$15 / year

Install WordPress Varnish Cache 3 Firewall

I will assume you already have Varnish 3 installed and configured using this guide, in which case you only need to add the source repository if you don’t already have it and update the repository cache

echo "deb-src wheezy varnish-3.0" >> /etc/apt/sources.list.d/varnish-cache.list
sudo apt-get update

Prepare the Varnish 3 source for building the firewall vmods

cd ~
sudo apt-get build-dep varnish -y
sudo apt-get source varnish -y
cd varnish-3.0.7
./configure --prefix=/usr && sudo make -j4

Check your Varnish cache version

varnishd -V

If it says anything other than varnish-3.0.7 execute the next 4 lines

The next 4 lines are for 32-bit only, this is because Varnish decided to stop compiling packages for 32-bit systems with the last version being 3.0.2, however when you build from source for the vmods you will get the final Varnish 3 version 3.0.7.

make install
sudo cp ~/varnish-3.0.7/bin/varnishstat/varnishstat /usr/bin/varnishstat
sudo cp ~/varnish-3.0.7/bin/varnishlog/varnishlog /usr/bin/varnishlog
sudo cp ~/varnish-3.0.7/bin/varnishadm/varnishadm /usr/bin/varnishadm

Build Varnish 3 Firewall vmods

Install other dependencies for Varnish 3 vmod building, then loop through building the Varnish 3 vmods and installing them

sudo apt-get install dpkg-dev pkg-config build-essential git autotools-dev automake libtool -y
cd ~
git clone -b 3.0 --recursive
cd VSF
for mod in parsereq urlcode shield throttle; do
   cd libvmod-$mod
   ./configure VARNISHSRC=~/varnish-3.0.7 VMODDIR=/usr/lib/varnish/vmods
   make -j4
   make install
   cd -

Create the Varnish security directory and copy the firewall vcl files there

mkdir -p /etc/varnish/security
cp -r ~/VSF/vcl/* /etc/varnish/security/

Configure Varnish 3 Firewall

In Varnish default.vcl add this line immediately after your sub vcl_rcv section’s last curly bracket. If you want added security you can add the include line before sub vcl_recv begins but you may get some false positives.

} # sub vcl_recv ends
include "/etc/varnish/security/vsf.vcl";

Test your Varnish firewall configuration will load

varnishd -C -f /etc/varnish/default.vcl

If you see any errors you will need to fix them, I had to uncomment throttle and shield because the vsf.vcl already includes them for DDoS protection.

#import throttle;
#import shield;

Test your configuration again and if it succeeds reload Varnish to enable the web application firewall

sudo service varnish reload

Testing Varnish 3 Firewall

You should monitor any requests that may be caught as false positives by using varnishlog

varnishlog -c -m VCL_Log:

You are welcome to test out different XSS and SQL injection attacks now

You can test a WordPress SQL injection attack like this and see that Varnish firewall prevents it

HTPC’ OR 1=1 OR ‘Guides

Here is a simple XSS WordPress attack, replace my homepage URL with your own<script>alert('HTPC Guides Varnish Firewall Example')</script>

You should find that both attacks result in this error message demonstrating the Varnish firewall is working to protect WordPress.