To make it easy to get started configuring your reverse proxies, section.io offers a few basic confguration options for Varnish and Modsecurity. Check out our guide on Advanced Configuration for more advanced configuration topics.
To make getting your CDN setup easier we have a number of configuration options you can enable without having to know how to use Varnish’s VCL programming language. To use these go to the Proxy page under the Configuration menu in Aperture. To use these features the following line needs to be in your
default.vcl file under the
backend declaration (it will be there by default). Note, these basic options work for VCL 4.0 only.
There are the following configuration options
These apply to all requests no matter what (if any) file extension they have
These options apply only to static files, that is, files with the following file extensions: css, js, jp(e)g, png, gif, ico & swf.
Cache Statics TTL: Setting this to something other than Retain origin setting will cause us to cache all static resources for the length of time specified. By selecting Retain origin setting we will only cache files that have the appropriate cache-control response header sent from the origin.
Remove Querystring: If someone requests a static file from your site with a querystring this will result in a cache miss if no one has requested that exact URL before. By switching this option on we will remove all querystring parameters before caching the object. Don’t enable this if querystrings are needed to load static content correctly.
Browser Cache TTL: Specifies how long your visitors’ browsers will cache files using the cache-control response header sent to their browsers. By selecting Retain origin setting we will not change the cache-control header and will simply pass through what your origin server sends.
Changes made to these options will be reflected in the
proxy-features.json file in the proxy folder in your application git repository so you can see when options were changed. You can view the VCL that is generated by these options on the Generated VCL tab.
To start writing your own VCL, you’ll need to head over to the repo.
To make getting your CDN setup easier we have a number of configuration options you can enable without writing any code. We’ve defined rules that you can view by going to the Proxy page under the Configuration menu in Aperture. If you have both Varnish Cache and Modsecurity setup, you will need to click Proxy in the top nav to display a drop down menu to view both of your reverse proxies and select Modsecurity.
The initial configuration in a repository starts ModSecurity’s SecRuleEngine in DetectionOnly mode (this writes log entries but never executes any disruptive actions). This is a great starting point, as you can immediately see possible threats without stopping legitimate traffic to your site.
For each config file that we’ve setup you can see a list of rules within that file and an on/off toggle. Turning the toggle “On” will allow the rules to start actively detecting traffic for that rule. In order to turn the rules into a blocking mode, you’ll need to do advanced configuration by editing files in the repo. To learn more about what each rule does, visit OWASP Modsecurity Rule Set Project.