Over a million developers have joined DZone.

Varnish and Security

DZone's Guide to

Varnish and Security

The correlation between cloud/edge computing and security is growing stronger every day, and any caching/CDN solution needs to be able to secure your data.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

The correlation between cloud/edge computing and security is growing stronger every day, and any caching/CDN solution loses value if it doesn't deliver a set of features that can address this correlation by securing data and connections.

With the upcoming GDPR (Global Data Protection Regulation), which will come into force on May 25 and will affect any business with at least a single European user, the demand for security is accelerating. End users and customers also require that their data be protected and that their connections be safe, which recent revelations (and scandals) revolving around Facebook have proven - and proven the importance of.

Varnish, as a reverse proxy and CDN software, usually sits in a very strategic layer of your architecture with Varnish itself as the very first HTTP gate a user request has to go through to see his/her request fulfilled (in most cases). Therefore, each Varnish solution comes with a complete set of features that can help to secure your architecture.


HTTPS Support

Varnish provides secure connections for both the client and the backend side. It means that the data shuffled between your Varnish server and the final user and the bytes between the origin server and Varnish are always encrypted, protecting privacy and avoiding data leaks.

Hitch is an SSL/TLS client terminator and secures client-side connections; it's an open source project and fully supported by Varnish Software.

Backend-side HTTPS is a Varnish Software feature. Securing a backend is as easy as setting a flag (on/off) in your Varnish configuration.

Encrypting data in cache is as important as having secure connections, as everyone wants to avoid disasters like Cloudbleed. Encrypted cached content will be useless in the event of a data breach, ensuring that your customers' private information is protected.

Varnish Total Encryption is a Varnish module (VMOD) that is fully tweakable via VCL. Every object in cache will have its own unique AES256 encryption key. This unique key, based on the request fingerprint, is assigned to each request, making it impossible for a request to return anything but its intended cache object.

Encrypting your whole caching layer, from end to end, including cached content, makes your whole infrastructure more secure and resilient and helps your business be completely GDPR compliant.

Request Inspection and Throttling

Request Body Access

Vmod-bodyaccess exposes the request body in VCL proving functions, among others, to:

  • Log the request body to VSL (Varnish Shared Log) making it available for inspection and for use by other components. The request body can be split into multiple lines to make it more readable.
  • Find strings in a request body. Using regular expressions, you can detect if malicious patterns are present within the suspicious request and run a check on those.
  • Evaluate the request body length.

Combining regular expressions checks and the length of a request body we can mark a request as potentially dangerous. If we have many requests marked as critical, this could be a DDoS attack.


Vmod-vsthrottle provides an API, accessible via VCL, to slow down the pace of incoming requests if anything suspicious is detected, i.e if the same IP address makes numerous requests within a short amount of time (usually seconds). Requests are paced based on a key that could be any VCL string, i.e. IP address, a header, a token, etc.

Optionally, specific requests can be blocked for a period of time if the rate limit threshold is reached, which helps by throttling down specific traffic patterns.

Even if Varnish can handle more than 20 thousand requests per second, detecting dubious requests and throttling them down is vital to providing good service and avoiding wasted resources.


Varnish Web Application Firewall allows you to set your own security rules in ModSecurity style. It is implemented as VMOD making it configurable via VCL.

The Varnish WAF can help you by preventing code injections, malicious clients and by protecting your origin servers. It can be considered security perimeter defense. It is currently under development and will be available starting in Q3 2018.

Authentication and Authorization

Using VCL, Varnish can run authentication and authorization logic. Authentication means we can identify each user based on a cookie header or any other VCL token. Once the authentication has been successful, always via VCL, we can decide which piece of content each user is allowed to access.

Combining those two steps, a Varnish paywall can be implemented; the solution is fully implemented in VCL using, among others, vmod-http and vmod-kvstore.

Security is taken seriously by the Varnish Software team and our Varnish solutions have extremely flexible security options in place, letting you choose what to secure and how secure you need it to be - as everything can be tweaked via VCL, ultimately helping you secure your caching infrastructure without affecting web performance.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

security ,cloud security ,web application security ,varnish ,encryption

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}