Nasser Heidari

2011-01-27

Varnish cache Security – Removing Default Headers

Filed under: Linux — Nasser Heidari @ 16:47

If you want to completely remove your varnish cache footprints on HTTP Headers, flow this:

sub vcl_deliver { ... ... remove resp.http.X-Varnish; remove resp.http.Via; remove resp.http.Age; remove resp.http.X-Powered-By; unset obj.http.Server; set obj.http.Server = "Go Away"; ... ... } sub vcl_error { ... ... unset obj.http.Server; set obj.http.Server = "Go Away"; ... ...

Block POST Method with VARNISH for Invalid URLS

Filed under: freebsd,Linux — Nasser Heidari @ 16:38

Recently, I’ve experienced very high load on my http server because of spam bots.
After some inspection on the server using tools like varnishtop , tcpdump, apache mod_log_post , I’ve realized that Web Server receives lots of invalid POST Requests.
as I have only few forms on the Web Server that uses POST method, I decide to Block ALL POST method REQUESTS except my forms , lets say the form urls is :
/upload/mainform.php
/form1.php
/form2.php
/form3.php

I just add thease lines to my Varnish configuration:

... ... sub vcl_recv { ... ... if ( req.request == "POST" ) { if ( req.url ~ "/upload/mainform.php" || req.url ~ "/form1.php" || req.url ~ "/form2.php" || req.url ~ "/form3.php" ) { return (pass); } else { error 403 ": Requested Method is not supported by this server."; } } ... ...