It’s common that a modern web site will want the advantages of Varnish’s excellent programming model in tandem with a WAF.
We’ve been looking at this space for a while and we’ll show you what we have found. Let us know if you’ve seen anything else.
WAF inside Varnish
We’ve seen a few projects work on getting a WAF to examine requests directly in Varnish. An example of this is the Varnish Security Firewall. After over a year in the wilderness, a few recent commits have appeared on the project to make it compatible with Varnish 4.0.
There’s also the Varnish Firewall which was last updated in 2012.
Both of these WAF options inside Varnish contain XSS and SQL Injection protection mechanisms. We were unable to find any testing results using these systems.
ModSecurity with Varnish
We searched for a Varnish VMOD that facilitated the ModSecurity core library running inside Varnish natively without success.
ModSecurity runs effectively in Apache and Nginx, and using these as a WAF proxy behind Varnish works well.
User traffic comes to your site, and you use some SSL termination proxy to direct traffic to Varnish. Varnish is then configured to fetch from your ModSecurity WAF proxy layer. Then, configure the ModSecurity proxy layer to fetch content from your application.
Considering the heavy performance impact of a decent ModSecurity ruleset, caching is recommended by the ModSecurity developers. Have a look at the ModSecurity Performance Recommendations where the first recommendation is to put Varnish or another effective HTTP cache in front.
Varnish with other WAF Proxies
Using the technique above you can also substitute ModSecurity for a different WAF. An actively developed proxy that takes a different angle on WAF is the NAXSI WAF that runs inside Nginx.
At that stage you might ask yourself “Why would I use Varnish when I have Nginx? Nginx is fast and has caching capabilities too”.
We really like Varnish’s VCL. It allows us to creatively solve problems with HTTP requests and responses without modifying the application. This allows us to somewhat separate caching concerns from our application. In nginx, the ngx_http_proxy_module provides caching capabilities that cache according to the cache rules sent from our origin responses. You’ll need to make sure your application’s web server is sending the right headers, and this can sometimes be done really easily in Varnish.
When deploying these systems don’t forget your metrics and log management. Its great to surface your metrics and logs in a usable way that means you don’t need to log onto your servers to see what’s happening. You’ll probably also need some kind of alerting system that lets you know when something is going wrong. Have a look at our other blog articles for some ideas on metrics systems.