Hacking Varnish

Varnish can be a powerful asset in the infrastructure, but what about security?

Permalink to heading What’s the point of Varnish? What’s the point of Varnish?

Varnish is a caching HTTP reverse proxy. In other words, it’s the part of the infrastructure you put in front of the server to take the incoming traffic and cache everything that is cacheable in the outgoing traffic.

The name comes from the deceptively attractive appearance and the act of glossing over. In other words, your server sucks ^^. You need Varnish to make it shine.

You can read my previous post about Varnish if you want a more detailed presentation. Roughly speaking, it reduces bandwidth usage, footprint, and the server’s load by caching both static and dynamic contents.

It can significantly boost the frontend, especially the famous Time To First Byte (TTFB), so it’s a great solution if you need to scale.

Permalink to heading But, is this go-between secure? But, is this go-between secure?

Varnish is written in C, with a few tools written in Python. Whereas many other technologies it has very few security flaws.

Source: CVE details

The codebase looks pretty secure. In any case, Varnish has a critical position in the infrastructure. It can be the first gate in your security system, encrypting all bytes of data between your server and the user, improving privacy protection, and preventing harmful leaks.

You can use Varnish Total Encryption to achieve that.

Permalink to heading The concept of “Throttling” The concept of “Throttling”

Varnish has various VMODs, which are Varnish plugins, that can enhance security.

You can use Varnish Throttle to slow down the incoming traffic in case you suspect some malicious behavior by using IP addresses, specific headers or URL patterns (e.g., particular parameters or API keys).

It’s a very clever way to gain performance, or at least, not wasting your resources, by regulating the traffic, even if Varnish can handle thousands of requests per second.

In the case of DDoS (denial of service attack), it’s beneficial. It’s not only to fight against hackers, as a partner might hammer your server accidentally, for example, when consuming a private API.

Throttling can consist of rate-limiting, such as accepting the first seven requests per second but throttling beyond and returning a 429 (HTTP code for “Too many requests”).

Permalink to heading No native support for HTTPS No native support for HTTPS

Varnish is a master/slave architecture, so the privileges are clearly differentiated.

There’s no native support for SSL/TLS, but you can use Hitch to terminate TLS/SSL connections and forwards the unencrypted traffic.

Poul-Henning Kamp, the creator of Varnish, publically rejected SSL, several times:

Until I get my time-machine working, that half year would be taken away of other Varnish development, so the result had better be worth it: If it isn’t, we have just increased the total attack-surface and bug-probability for no better reason than “me too!”.

Source: SSL again

You can read hist first post about HTTPS here.

Permalink to heading Open-source project vs. enterprise edition Open-source project vs. enterprise edition

The enterprise product has many great features, including advanced engineering support, intense release cycles, backported security updates for all versions, and a WAF (web application firewall) derived from ModSecurity, preventing most known threats such as code injections.

Not surprisingly, the open-source project does not have the same feature, and it’s not uncommon to have unpatched flaws for unsupported versions.

One can say fair enough, as it’s undeniably a fantastic technology. However, pricing starts from $15,000, which may look expensive.

Not saying it’s not worth it—again, it’s beautifully technological —, but it’s not at everybody’s reach. Note that it does not mean you cannot fine-tune the free version to get a high level of protection and performance, but it will require experience and knowledge, and, above all, time, to configure it correctly.

The community has exciting and free shares, such as VSF, but it’s still a work in progress, and I doubt they have the necessary time and resources to support all versions. Anyway, it can be a great inspiration to set security rules in your Varnish.

Permalink to heading Conclusion Conclusion

If correctly configured, Varnish can be a great asset for your infrastructure’s safety, mitigating the risks and reducing the damages of DDoS attacks.

If you have the budget, the enterprise product seems a fair investment, but even the free version can drastically improve performance and security for your online business.