defend your web server with varnish
AwareOS Web application firewall is based on open source Varnish software. Varnish is used as a reverse proxy/accelerator in front of the web applications. Since it is independent of the web server, it provides utmost flexibility in forwarding requests to different backends running locally or remotely. With built-in load-balancing capability, the incoming traffic can be transparently distributed across multiple copies of the application. The version provided by awareOS comes with a set of pre-defined rules that protect your application against common attacks such as SQL Injection, Cross-site scripting (XSS), Cross Site Request Forgery (CSRF), HTTP Floods, and others. Rate-limiting protect against HTTP Flood attacks, DDoS, and more.
Behind the magic of AwareOS WAF is the powerful VCL, Varnish Configuration Language. The VCL is a scripting environment for handling HTTP requests. For instance, the user can direct requests to different applications, or alter the requests and the responses based on the the HTTP properties of them. The final VCL script is compiled into Varnish program the first time it's run. It is a very high performance environment that can be modified without taking your web server off-line.
An example where the sensitive pages of a Drupal application is restricted to the local machines only.
acl privileged {
"10.0.0.0"/8;
"172.16.0.0"/12;
"192.168.0.0"/16;
}
sub vcl_recv {
if (req.url ~ "^/(cron|install|update|xmlrpc)\.php$" &&
!client.ip ~ privileged) {
return(synth(404, "Page not found."));
}
Another example where incoming HTTP requests are classified against the known bots so that they can handled differently.
sub vcl_recv {
if (req.http.User-Agent ~ "(?i)(ads|google|bing|msn|)bot" ||
req.http.User-Agent ~ "(?i)(baidu|symantec)spider" ||
req.http.User-Agent ~ "(?i)scanner" ||
req.http.User-Agent ~ "(?i)(web)crawler") {
set req.http.X-UA-Device = "bot";
}
}