Nasser Heidari

2011/01/27

Varnish cache Security – Removing Default Headers

Filed under: Linux — Nasser Heidari @ 16:47

If you want to completely remove your varnish cache footprints on HTTP Headers, flow this:


sub vcl_deliver {
...
...
    remove resp.http.X-Varnish;
    remove resp.http.Via;
    remove resp.http.Age;
    remove resp.http.X-Powered-By;
    unset obj.http.Server;
    set obj.http.Server = "Go Away";
...
...
}

sub vcl_error {
...
...
    unset obj.http.Server;
    set obj.http.Server = "Go Away";
...
...
Advertisement

2 Comments »

  1. sorry always get your blog post personal information on linux.
    ask a question
    install linux + bridge + squid3
    I want my browser mozilla firefox or iexplore not ask for port 3128 to pass directly to the squid server.
    I am creating a WIFI network
    it’s annoying that you have configured the browser proxy browser 3128 and I do not want
    I have actually link and connection to the squid box
    my configuration is:

    #eth0 red Admin
    #eth1 red academica
    #eth2 ADSL
    ifconfig eth1 0.0.0.0 promisc up
    ifconfig eth2 0.0.0.0 promisc up
    brctl addbr br0
    brctl addif br0 eth1
    brctl addif br0 eth2
    ifconfig br0 192.168.1.1 netmask 255.255.255.0 up
    route add default gw 192.168.1.254 dev br0
    ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 –ip-destination-port 80 -j redirect –redirect-target ACCEPT
    iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-ports 3128
    iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j REDIRECT –to-ports 3128
    iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-ports 3128

    Comment by ematrix — 2011/01/29 @ 10:37 | Reply

    • Hmm, lets say your network configuration is like this :

      LAN 1 => eth0 (192.168.0.0/24)
      LAN 2 => eth1 (172.16.0.0/24)
      Internet => eth2

      ebtables -t broute -F

      ebtables -t broute -A BROUTING -i eth0 -p ipv4 –ip-src 192.168.0.0/24 –ip-proto tcp –ip-dport 80 -j redirect –redirect-target DROP
      ebtables -t broute -A BROUTING -i eth1 -p ipv4 –ip-src 172.16.0.0/24 –ip-proto tcp –ip-dport 80 -j redirect –redirect-target DROP

      ebtables -t broute -A BROUTING -i eth2 -p ipv4 –ip-dst 192.168.0.0/24 –ip-proto tcp –ip-sport 80 -j redirect –redirect-target DROP
      ebtables -t broute -A BROUTING -i eth2 -p ipv4 –ip-dst 172.16.0.0/24} –ip-proto tcp –ip-sport 80 -j redirect –redirect-target DROP

      iptables -t nat -I PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to 80
      iptables -t nat -I PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to 80

      I think it should work for you.

      Regards,
      Nasser

      Comment by Nasser Heidari — 2011/01/29 @ 19:33 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.