comotion / vsf Goto Github PK

Varnish Security Firewall

License: Other

Shell 0.50% Makefile 0.76% Perl 2.01% C 8.56% M4 0.32% Awk 0.13% Python 0.71% JavaScript 72.91% CSS 1.43% Smarty 0.35% VCL 12.33%

vsf's People

Contributors

Stargazers

Watchers

vsf's Issues

cache-worker panic on FreeBSD

Please see issue #2136 on varnish-cache:
varnishcache/varnish-cache#2136

When sending a POST request to an special URL - the cache-worker child panics - and it seems to be related the VSF - as when I remove the VSF include I am unable to reproduce the problem.

Please let me know what you require in order to debug this further.

Thanks!

Hello, I built varnish 4 from source with vsf and want to accomplish the following throttling:
Limit from 100 concurrent requests from IP. On the 101th request the connection to be dropped. I tried the following configuration which works by totally different way which I will explain below:

sub vcl_recv {
if (vsthrottle.is_denied(client.identity, 100, 0s)) {
# Client has exceeded 15 reqs per 10s
return (synth(429, "Too Many Requests"));
}
}

Tried also with 1s instead of 0s (then it doesn't throttle at all).
Tried also the following, but one request is ok, on the second refresh the request is throttled instead 100 requests to be ok, the 101th to be throttled.

if (vsthrottle.is_denied(req.http.X-Actual-IP, 100, 0s)) {

What is wrong with the configuration and how can I achieve this throttling way I want?
Thank you in advance.

Add tests and travis support

Ideally tests should be done with varnishtest.

wordpress compatibility

I have been testing VSF with Varnish 4.1 and Wordpress and get some false positives. In your cmd.vcl the cat (third curl) is greedy and captures category. I have modified it to be

if (req.url ~ "(=|;|&&|%7C%7C)cat.+(?:egory)")

but there may be a better way.

Also echo and cat are mislabeled as curl for the X-VSF-RuleName in cmd.vcl

Problems compiling on varnish 3

I can't compile vsf on varnish 3 with a lot of probes. Here are ll my steps and the error I see:

2 yum install docutils pcre-devel gcc* git nano -y
3 wget http://repo.varnish-cache.org/source/varnish-3.0.3.tar.gz
4 rm varnish-3.0.3.tar.gz
5 cd /usr/local/src
7 wget http://repo.varnish-cache.org/source/varnish-3.0.3.tar.gz
8 tar xvvf varnish-3.0.3.tar.gz
12 cd varnish-3.0.3/
13 ./configure
14 make
15 make install
16 varnishd -V
17 cd -
18 git clone https://github.com/comotion/VSF.git
19 cd VSF/
20 git clone https://github.com/fastly/libvmod-urlcode.git
21 git clone https://github.com/nand2/libvmod-throttle.git
22 git clone https://github.com/xcir/libvmod-parsereq.git
23 git clone https://github.com/varnish/libvmod-shield.git
24 for mod in parsereq urlcode shield throttle; do cd libvmod-$mod; ./autogen.sh && VARNISHSRC=/usr/local/src/varnish-3.0.3 VMODDIR=/usr/lib64/varnish/vmods ./configure && make -j3; make install; cd -; done

make[1]: Entering directory /usr/local/src/VSF/libvmod-urlcode/src' make[1]: *** No rule to make target@VMODTOOL@', needed by vcc_if.c'. Stop. make[1]: Leaving directory/usr/local/src/VSF/libvmod-urlcode/src'
make: *** [install-recursive] Error 1

Then I installed varnish-libs and varnish-libs-devel from here:

https://repo.varnish-cache.org/redhat/varnish-3.0/el6/x86_64/varnish/

BUT I see again the error for VMODTOOLS and can't fix this - why?

Segfault with insufficient workspace (buffer overflow)

Setup:

Varnish-4.1.0 revision 3041728
VSF (master ea07f16)
Ubuntu 14.04

I seem to have encountered a buffer overflow in vmod_normalize() relating to utf8proc_decompose().

Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 297:
  Condition(Segmentation fault by instruction at 0x7fd277225738) not true.

Not being an expert in either VSF, utf8proc or even C, my assumptions may be incorrect. At minimum I do receive an panic which crashes the varnish child when it is encountered.

To reproduce:

Have a running web server.

echo -e "HTTP/1.1 200 OK\n\n" | nc -l localhost 8080

Start varnish and a child in the foreground for debugging purposes.

$ sudo varnishd -d -f /etc/varnish/default.vcl -T localhost:6092
Platform: Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit
200 283
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit
varnish-4.1.0 revision 3041728

Type 'help' for command list.
Type 'quit' to close CLI session.
Type 'start' to launch worker process.

start
child (26635) Started
200 0

Child (26635) said Child starts

Have some data which exceeds the available workspace_client limit. The default being 64K. The following will produce a random file of 70K.

dd if=/dev/urandom of=file.txt bs=1024 count=70

POST to varnish

curl --data-urlencode @file.txt http://localhost

The varnish child then crashes and produces the error mentioned above.

I think I have narrowed down the cause to the following line in vmod_normalize():

    len = utf8proc_decompose((utf8proc_uint8_t *)s, 0 /* IGNORED */,
        (utf8proc_int32_t *)p, u, options);

I think the problem is that WS_Reserve() returns the available buffer space in bytes, which is then stored in u. However, utf8proc_decompose() is looking for a buffer with a length specified in utf8proc_int32_t, not in bytes. This call will also clobber the magic number stored in ctx->ws->e, which I think marks the end of the available workspace.

I will issue a pull request shortly for my proposed fix, as there is more that needs to change since correcting the buffer size issue does not completely fix it.

Thanks

is it possible to build vanirsh6.2?

Centos7
Varnish6.2
Python 3.6.3

I have got following error.

/bin/sh ../libtool  --tag=CC   --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..    -I/usr/local/varnish/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/local/varnish/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c  -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
In file included from /usr/local/varnish/include/varnish/cache/cache_varnishd.h:32:0,
                 from vmod_vsf.c:34:
/usr/local/varnish/include/varnish/cache/cache.h:202:1: warning: data definition has no type or storage class [enabled by default]
 VRBT_HEAD(vrt_priv_tree,vrt_priv);
 ^
/usr/local/varnish/include/varnish/cache/cache.h:202:1: warning: type defaults to 'int' in declaration of 'VRBT_HEAD' [enabled by default]
/usr/local/varnish/include/varnish/cache/cache.h:202:1: warning: parameter names (without types) in function declaration [enabled by default]
/usr/local/varnish/include/varnish/cache/cache.h:207:23: error: field 'privs' has incomplete type
  struct vrt_priv_tree privs;
                       ^
vmod_vsf.c: In function 'vmod_body':
vmod_vsf.c:117:2: warning: passing argument 2 of 'VRB_Iterate' from incompatible pointer type [enabled by default]
  if (VRB_Iterate(ctx->req, vsf_iter_req_body, vsb) == -1) {
  ^
In file included from vmod_vsf.c:34:0:
/usr/local/varnish/include/varnish/cache/cache_varnishd.h:351:9: note: expected 'int (*)(void *, unsigned int,  const void *, ssize_t)' but argument is of type 'int (*)(void *, int,  const void *, ssize_t)'
 ssize_t VRB_Iterate(struct req *, objiterate_f *func, void *priv);

Varnish 4.0 support

VSF needs to work on Varnish 4.0. Port the VCL first, then the vmods.

feature request: add http/2.0 in cloak.vcl

I believe it is not designed for h2?

Update documentation re 4.0 support

Varnish 4.0 is supported (albeit without body inspection) in the 4.0 branch.

generic.vcl typo

line 7:
if (req.http.User-Agent ~ "(i)
shall be:
if (req.http.User-Agent ~ "(?i)

utf8conf build error

Trying to build with Varnish 4.1 and getting this error, instructions are the same as I used last time I tested

make  all-recursive
make[1]: Entering directory '/root/VSF/libvmod-vsf'
Making all in src
make[2]: Entering directory '/root/VSF/libvmod-vsf/src'
/bin/bash ../libtool  --tag=CC   --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..    -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c  -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
vmod_vsf.c:60:22: fatal error: utf8proc.h: No such file or directory
 #include <utf8proc.h>
                      ^
compilation terminated.
Makefile:638: recipe for target 'libvmod_vsf_la-vmod_vsf.lo' failed
make[2]: *** [libvmod_vsf_la-vmod_vsf.lo] Error 1
make[2]: Leaving directory '/root/VSF/libvmod-vsf/src'
Makefile:453: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1

@${MAKE} -C vcl fails

Hi,

Running make in the vcl sub-dir fails:

[...]
rules/user-agent.vcl: || req.http.user-agent == "VadixBot"
rules/user-agent.vcl: || req.http.user-agent == "WebVulnCrawl.blogspot.com/1.0 libwww-perl/5.803"
rules/user-agent.vcl: || req.http.user-agent == "Wells Search II"
rules/user-agent.vcl: || req.http.user-agent == "WEP Search 00"

*** Failed target: check
*** Failed command: ../tools/check_variables
*** Error code 1

Stop.
make: stopped in /root/work/varnish-vmods/VSF/vcl
Global:.ERROR_TARGET = check
Applying[MAKE_PRINT_VAR_ON_ERROR] :@ to ""
Modifier pattern: "v"
Modifier pattern: "$v='${$v}'
"
Result[MAKE_PRINT_VAR_ON_ERROR] of :@ is ""

utf8proc 2.7.0

Hello,

utf8proc has released new version 2.7.0:
Unicode 14 support ([#233]).
Support GNUInstallDirs in CMake build ([#159]).
cmake build now installs pkg-config file ([#224]).
Various build and portability improvements.

make && make install is ok

varnishd -C -f /etc/varnish/default.vcl
Could not delete 'vcl_boot.1639807852.042728/vgc.sym': No such file or directory
Message from VCC-compiler:
Could not open VMOD vsf
File name: /root/VSF-6.6/libvmod-vsf/src/.libs/libvmod_vsf.so
dlerror: /root/VSF-6.6/libvmod-vsf/src/.libs/libvmod_vsf.so: cannot open shared object file: Permission denied
('/etc/varnish/security/vsf.vcl' Line 7 Pos 8)
import vsf from "/root/VSF-6.6/libvmod-vsf/src/.libs/libvmod_vsf.so";
-------###-----------------------------------------------------------

Running VCC-compiler failed, exited with 2
VCL compilation failed

Can't figure out how to make honeypot backend working

Hi there,
I'm using the 4.0 branch of the VSF.
Unfortunately I can't figure out how to make the honeypot backend working.
The request got restarted and never reach the backend specified as sec_honey.
Here is the varnishlog output:

 << Request  >> 32774
-   Begin          req 32773 rxreq
-   Timestamp      Start: 1455876150.014326 0.000000 0.000000
-   Timestamp      Req: 1455876150.014326 0.000000 0.000000
-   ReqStart       10.102.68.87 38960 10.102.68.87 38960
-   ReqMethod      GET
-   ReqURL         /SELECT%20*%20FROM
-   ReqProtocol    HTTP/1.1
-   ReqHeader      User-Agent: curl/7.39.0
-   ReqHeader      Accept: */*
-   ReqHeader      Host: www.pres01.ecestage.rts.ch
-   ReqHeader      X-Forwarded-For: 10.102.68.87
-   VCL_call       RECV
-   ReqHeader      X-VSF-Actual-IP: 10.102.68.87
-   ReqHeader      X-VSF-ClientIP: 10.102.68.87
-   ReqHeader      X-VSF-Method: GET
-   ReqHeader      X-VSF-Proto: HTTP/1.1
-   ReqHeader      X-VSF-UA: curl/7.39.0
-   ReqHeader      X-VSF-URL: /SELECT * FROM
-   ReqHeader      X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
-   ReqHeader      X-VSF-Restarted: restarted
-   ReqHeader      X-VSF-Module: sql
-   ReqHeader      X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
-   ReqHeader      X-VSF-RuleID: 1
-   ReqHeader      X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
-   ReqHeader      X-VSF-Severity: 1
-   ReqHeader      X-VSF-Rule: sql-1
-   ReqHeader      X-VSF-Response:
-   Debug          "VCL_error(803, Sexy Honey)"
-   VCL_return     synth
-   VCL_call       HASH
-   VCL_return     lookup
-   Timestamp      Process: 1455876150.014493 0.000167 0.000167
-   RespHeader     Date: Fri, 19 Feb 2016 10:02:30 GMT
-   RespHeader     Server: Varnish
-   RespHeader     X-Varnish: 32774
-   RespProtocol   HTTP/1.1
-   RespStatus     803
-   RespReason     Unknown HTTP Status
-   RespReason     Sexy Honey
-   VCL_call       SYNTH
-   VCL_Log        security.vcl alert xid:32774 HTTP/1.1 [sql-1][10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0) (SQL Injection Attempt: SELECT FROM)
-   ReqUnset       X-VSF-Response:
-   ReqHeader      X-VSF-Response: honeypot me
-   VCL_return     restart
-   Timestamp      Restart: 1455876150.014527 0.000201 0.000033
-   Link           req 32775 restart
-   End

*   << Request  >> 32775
-   Begin          req 32774 restart
-   Timestamp      Start: 1455876150.014527 0.000201 0.000000
-   ReqStart       10.102.68.87 38960 10.102.68.87 38960
-   ReqMethod      GET
-   ReqURL         /SELECT%20*%20FROM
-   ReqProtocol    HTTP/1.1
-   ReqHeader      User-Agent: curl/7.39.0
-   ReqHeader      Accept: */*
-   ReqHeader      Host: www.pres01.ecestage.rts.ch
-   ReqHeader      X-Forwarded-For: 10.102.68.87
-   ReqHeader      X-VSF-Actual-IP: 10.102.68.87
-   ReqHeader      X-VSF-ClientIP: 10.102.68.87
-   ReqHeader      X-VSF-Method: GET
-   ReqHeader      X-VSF-Proto: HTTP/1.1
-   ReqHeader      X-VSF-UA: curl/7.39.0
-   ReqHeader      X-VSF-URL: /SELECT * FROM
-   ReqHeader      X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
-   ReqHeader      X-VSF-Restarted: restarted
-   ReqHeader      X-VSF-Module: sql
-   ReqHeader      X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
-   ReqHeader      X-VSF-RuleID: 1
-   ReqHeader      X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
-   ReqHeader      X-VSF-Severity: 1
-   ReqHeader      X-VSF-Rule: sql-1
-   ReqHeader      X-VSF-Response: honeypot me
-   VCL_call       RECV
-   ReqUnset       X-VSF-Severity: 1
-   ReqUnset       X-VSF-Module: sql
-   ReqUnset       X-VSF-RuleID: 1
-   ReqUnset       X-VSF-Rule: sql-1
-   ReqUnset       X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
-   ReqUnset       X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
-   ReqUnset       X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
-   ReqUnset       X-VSF-Response: honeypot me
-   ReqUnset       X-VSF-ClientIP: 10.102.68.87
-   ReqUnset       X-VSF-Method: GET
-   ReqUnset       X-VSF-Proto: HTTP/1.1
-   ReqUnset       X-VSF-UA: curl/7.39.0
-   ReqUnset       X-VSF-URL: /SELECT * FROM
-   ReqUnset       X-VSF-Actual-IP: 10.102.68.87
-   ReqHeader      X-VSF-Actual-IP: 10.102.68.87
-   ReqHeader      X-VSF-ClientIP: 10.102.68.87
-   ReqHeader      X-VSF-Method: GET
-   ReqHeader      X-VSF-Proto: HTTP/1.1
-   ReqHeader      X-VSF-UA: curl/7.39.0
-   ReqHeader      X-VSF-URL: /SELECT * FROM
-   ReqHeader      X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
-   ReqUnset       X-VSF-Restarted: restarted
-   ReqHeader      X-VSF-Restarted: restarted
-   ReqHeader      X-VSF-Module: sql
-   ReqHeader      X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
-   ReqHeader      X-VSF-RuleID: 1
-   ReqHeader      X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
-   ReqHeader      X-VSF-Severity: 1
-   ReqHeader      X-VSF-Rule: sql-1
-   ReqHeader      X-VSF-Response:
-   Debug          "VCL_error(803, Sexy Honey)"
-   VCL_return     synth
-   VCL_call       HASH
-   VCL_return     lookup
-   Timestamp      Process: 1455876150.014614 0.000288 0.000087
-   RespHeader     Date: Fri, 19 Feb 2016 10:02:30 GMT
-   RespHeader     Server: Varnish
-   RespHeader     X-Varnish: 32775
-   RespProtocol   HTTP/1.1
-   RespStatus     803
-   RespReason     Unknown HTTP Status
-   RespReason     Sexy Honey
-   VCL_call       SYNTH
-   RespHeader     Content-Type: text/html; charset=utf-8
-   VCL_return     deliver
-   RespHeader     Content-Length: 10
-   Debug          "RES_MODE 2"
-   RespHeader     Connection: keep-alive
-   Timestamp      Resp: 1455876150.014665 0.000339 0.000051
-   ReqAcct        107 0 107 183 10 193
-   End

Add the utf8 vmod

Add a note and use the utf8 [1] vmod to combat WAF evasion.

https://github.com/fgsch/libvmod-utf8

false positive with mybb

Installed this to protect mybb and getting a false positive for an sql injection when sending a message with this text

I've tried:

- System > Update Manager > Settings > Enable Community-maintained updates.
 - Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.

No go, Sonarr doesn't show up.

One guy:
http://forums.openmediavault.org/index.php/Thread/6609-Sonarr-NzbDrone-1-0-Plugin/?postID=78771#post78771

Said to just to enable mono testing and not mono.

I can enable mono and have mono testing disabled. But I can't have mono disabled and have mono testning enable. If I enable testing the other mono enables to.

Varnishlog

-   Timestamp      ReqBody: 1448830967.845978 0.000147 0.000147
-   ReqHeader      X-VSF-Body: my_post_key=05559b8cafbc7789f72e7369c8d7e6a8&to=manne&bcc=&subject=Re%3A+Omv+guide&action=do_send&pmid=571&do=reply&options%5Bsavecopy%5D=1&options%5Breadreceipt%5D=1&message=%0D%0AI%27ve+tried%3A%0D%0A-+System+%3E+Update+Manager+%3E+Settings
-   ReqHeader      X-VSF-Client: [162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36)
-   ReqUnset       Accept-Encoding: gzip
-   ReqHeader      Accept-Encoding: gzip
-   ReqHeader      X-VSF-Module: sql
-   ReqHeader      X-VSF-RuleName: SQL Injection
-   ReqHeader      X-VSF-RuleID: sql.sql-11
-   ReqHeader      X-VSF-Rule: sql-sql.sql-11
-   ReqHeader      X-VSF-Response: Naughty, not nice!
-   VCL_return     synth
-   VCL_call       HASH
-   VCL_return     lookup
-   Timestamp      Process: 1448830967.846190 0.000359 0.000212
-   RespHeader     Date: Sun, 29 Nov 2015 21:02:47 GMT
-   RespHeader     Server: Varnish
-   RespHeader     X-Varnish: 1540392
-   RespProtocol   HTTP/1.1
-   RespStatus     801
-   RespReason     Unknown HTTP Status
-   RespReason     Rejected
-   VCL_call       SYNTH
-   VCL_Log        security.vcl alert xid:1540392 HTTP/1.1 [sql-sql.sql-11][162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36) (SQL Injection)
-   RespStatus     403
-   RespReason     Forbidden
-   RespReason     Naughty, not nice!
-   RespHeader     Content-Type: text/html; charset=utf-8
-   RespHeader     Retry-After: 5
-   VCL_return     deliver
-   RespHeader     Content-Length: 278
-   Storage        malloc Transient
-   Debug          "RES_MODE 2"
-   RespHeader     Connection: keep-alive
-   Timestamp      Resp: 1448830967.846321 0.000490 0.000130
-   ReqAcct        1327 968 2295 210 278 488
-   End

Upon further testing it appears to not like the symbols in this text

About Sonarr:

I've tried:

- System > Update Manager > Settings > Enable Community-maintained updates.
 - Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.

No go, Sonarr doesn't show up.

false positive for google ads

Looking at more varnishlogs with the default rules, here is a false positive for google ads as a windows file

 SessionOpen  c 108.162.215.39 32699 :80
   13 ReqStart     c 108.162.215.39 32699 1813224171
   13 RxRequest    c GET
   13 RxURL        c //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
   13 RxProtocol   c HTTP/1.1
   13 RxHeader     c Host: www.htpcguides.com
   13 RxHeader     c Connection: Keep-Alive
   13 RxHeader     c Accept-Encoding: gzip
   13 RxHeader     c CF-IPCountry: CN
   13 RxHeader     c X-Forwarded-For: 111.206.36.6
   13 RxHeader     c CF-RAY: 23b1cb9beb4b20ae-LAX
   13 RxHeader     c X-Forwarded-Proto: http
   13 RxHeader     c CF-Visitor: {"scheme":"http"}
   13 RxHeader     c Accept: */*
   13 RxHeader     c Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7
   13 RxHeader     c Accept-Language: zh-cn, zh;q=0.5
   13 RxHeader     c User-Agent: Mozilla/4.0
   13 RxHeader     c CF-Connecting-IP: 111.206.36.6
   13 VCL_call     c recv error
   13 VCL_call     c hash
   13 Hash         c //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
   13 Hash         c www.htpcguides.com
   13 VCL_return   c hash
   13 VCL_call     c error
   13 VCL_Log      c vcl_error
   13 VCL_Log      c security.vcl alert xid:1813224171 HTTP/1.1 [-path.win-2][108.162.215.39] www.htpcguides.com//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js (Mozilla/4.0) (Windows File)
   13 VCL_return   c deliver
   13 VCL_call     c deliver deliver
   13 TxProtocol   c HTTP/1.1
   13 TxStatus     c 403
   13 TxResponse   c Naughty, not nice!
   13 TxHeader     c Server: Varnish
   13 TxHeader     c Content-Type: text/html; charset=utf-8
   13 TxHeader     c Retry-After: 5
   13 TxHeader     c Content-Length: 416
   13 TxHeader     c Accept-Ranges: bytes
   13 TxHeader     c Date: Sun, 25 Oct 2015 23:45:30 GMT
   13 TxHeader     c X-Varnish: 1813224171
   13 TxHeader     c Age: 0
   13 TxHeader     c Via: 1.1 varnish
   13 TxHeader     c Connection: close
   13 TxHeader     c X-Cache: MISS
   13 Length       c 416
   13 ReqEnd       c 1813224171 1445816730.184789658 1445816730.185124397 0.000099421 0.000262976 0.000071722

Compiling fails under fully updated Debian 11 + Varnish 7.0.2 + vsthrottle

vmod_vsf.c:96:39: error: array type has incomplete element type ‘struct vmod_priv_methods’
    96 | static const struct vmod_priv_methods vmod_body_methods[1] = {{
       |                                       ^~~~~~~~~~~~~~~~~
 vmod_vsf.c:97:11: error: ‘VMOD_PRIV_METHODS_MAGIC’ undeclared here (not in a function); did you mean ‘VDI_METHODS_MAGIC’?
    97 |  .magic = VMOD_PRIV_METHODS_MAGIC,
       |           ^~~~~~~~~~~~~~~~~~~~~~~
       |           VDI_METHODS_MAGIC
 vmod_vsf.c: In function ‘vmod_body’:
 vmod_vsf.c:139:6: error: ‘struct vmod_priv’ has no member named ‘methods’
   139 |  priv->methods = vmod_body_methods;
       |      ^~
 make[3]: *** [Makefile:671: libvmod_vsf_la-vmod_vsf.lo] Error 1

Also there is a problem since the dependencies require python-docutils which has been made obsolete by python3-docutils, and is no longer available for several Linux versions. Furthermore libvarnishapi-dev conflicts with varnish-dev, which is required for the OEM Varnish Modules package.

Varnish6

Any chance this could be updated to work with Varnish6 ?

/bin/sh ../libtool  --tag=CC   --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I..   -I/usr/local/include -I/usr/local/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/local/include -I/usr/local/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c  -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
In file included from vmod_vsf.c:35:
/usr/local/include/varnish/vrt.h:35:4: error: #error "vrt.h included after cache.h - they are inclusive"
/usr/local/include/varnish/vrt.h:39:4: error: #error "vrt.h included multiple times"
In file included from vmod_vsf.c:35:
/usr/local/include/varnish/vrt.h:127: error: redefinition of 'struct strands'
/usr/local/include/varnish/vrt.h:138: error: redefinition of typedef 'VCL_ACL'
/usr/local/include/varnish/vrt.h:138: error: previous declaration of 'VCL_ACL' was here
/usr/local/include/varnish/vrt.h:139: error: redefinition of typedef 'VCL_BACKEND'
/usr/local/include/varnish/vrt.h:139: error: previous declaration of 'VCL_BACKEND' was here
/usr/local/include/varnish/vrt.h:140: error: redefinition of typedef 'VCL_BLOB'
/usr/local/include/varnish/vrt.h:140: error: previous declaration of 'VCL_BLOB' was here
/usr/local/include/varnish/vrt.h:141: error: redefinition of typedef 'VCL_BODY'
/usr/local/include/varnish/vrt.h:141: error: previous declaration of 'VCL_BODY' was here
/usr/local/include/varnish/vrt.h:142: error: redefinition of typedef 'VCL_BOOL'
/usr/local/include/varnish/vrt.h:142: error: previous declaration of 'VCL_BOOL' was here
/usr/local/include/varnish/vrt.h:143: error: redefinition of typedef 'VCL_BYTES'
/usr/local/include/varnish/vrt.h:143: error: previous declaration of 'VCL_BYTES' was here
/usr/local/include/varnish/vrt.h:144: error: redefinition of typedef 'VCL_DURATION'
/usr/local/include/varnish/vrt.h:144: error: previous declaration of 'VCL_DURATION' was here
/usr/local/include/varnish/vrt.h:145: error: redefinition of typedef 'VCL_ENUM'
/usr/local/include/varnish/vrt.h:145: error: previous declaration of 'VCL_ENUM' was here
/usr/local/include/varnish/vrt.h:146: error: redefinition of typedef 'VCL_HEADER'
/usr/local/include/varnish/vrt.h:146: error: previous declaration of 'VCL_HEADER' was here
/usr/local/include/varnish/vrt.h:147: error: redefinition of typedef 'VCL_HTTP'
/usr/local/include/varnish/vrt.h:147: error: previous declaration of 'VCL_HTTP' was here
/usr/local/include/varnish/vrt.h:148: error: redefinition of typedef 'VCL_INSTANCE'
/usr/local/include/varnish/vrt.h:148: error: previous declaration of 'VCL_INSTANCE' was here
/usr/local/include/varnish/vrt.h:149: error: redefinition of typedef 'VCL_INT'
/usr/local/include/varnish/vrt.h:149: error: previous declaration of 'VCL_INT' was here
/usr/local/include/varnish/vrt.h:150: error: redefinition of typedef 'VCL_IP'
/usr/local/include/varnish/vrt.h:150: error: previous declaration of 'VCL_IP' was here
/usr/local/include/varnish/vrt.h:151: error: redefinition of typedef 'VCL_PROBE'
/usr/local/include/varnish/vrt.h:151: error: previous declaration of 'VCL_PROBE' was here
/usr/local/include/varnish/vrt.h:152: error: redefinition of typedef 'VCL_REAL'
/usr/local/include/varnish/vrt.h:152: error: previous declaration of 'VCL_REAL' was here
/usr/local/include/varnish/vrt.h:153: error: redefinition of typedef 'VCL_STEVEDORE'
/usr/local/include/varnish/vrt.h:153: error: previous declaration of 'VCL_STEVEDORE' was here
/usr/local/include/varnish/vrt.h:154: error: redefinition of typedef 'VCL_STRANDS'
/usr/local/include/varnish/vrt.h:154: error: previous declaration of 'VCL_STRANDS' was here
/usr/local/include/varnish/vrt.h:155: error: redefinition of typedef 'VCL_STRING'
/usr/local/include/varnish/vrt.h:155: error: previous declaration of 'VCL_STRING' was here
/usr/local/include/varnish/vrt.h:156: error: redefinition of typedef 'VCL_TIME'
/usr/local/include/varnish/vrt.h:156: error: previous declaration of 'VCL_TIME' was here
/usr/local/include/varnish/vrt.h:157: error: redefinition of typedef 'VCL_VCL'
/usr/local/include/varnish/vrt.h:157: error: previous declaration of 'VCL_VCL' was here
/usr/local/include/varnish/vrt.h:158: error: redefinition of typedef 'VCL_VOID'
/usr/local/include/varnish/vrt.h:158: error: previous declaration of 'VCL_VOID' was here
/usr/local/include/varnish/vrt.h:160: error: redefinition of 'struct vrt_type'
/usr/local/include/varnish/vrt.h:174: error: redefinition of 'struct vrt_ctx'
/usr/local/include/varnish/vrt.h:215: error: redefinition of 'struct vmod_data'
/usr/local/include/varnish/vrt.h:233: error: nested redefinition of 'enum vcl_event_e'
/usr/local/include/varnish/vrt.h:233: error: redeclaration of 'enum vcl_event_e'
/usr/local/include/varnish/vrt.h:234: error: redeclaration of enumerator 'VCL_EVENT_LOAD'
/usr/local/include/varnish/vrt.h:234: error: previous definition of 'VCL_EVENT_LOAD' was here
/usr/local/include/varnish/vrt.h:235: error: redeclaration of enumerator 'VCL_EVENT_WARM'
/usr/local/include/varnish/vrt.h:235: error: previous definition of 'VCL_EVENT_WARM' was here
/usr/local/include/varnish/vrt.h:236: error: redeclaration of enumerator 'VCL_EVENT_COLD'
/usr/local/include/varnish/vrt.h:236: error: previous definition of 'VCL_EVENT_COLD' was here
/usr/local/include/varnish/vrt.h:237: error: redeclaration of enumerator 'VCL_EVENT_DISCARD'
/usr/local/include/varnish/vrt.h:237: error: previous definition of 'VCL_EVENT_DISCARD' was here
/usr/local/include/varnish/vrt.h:283: error: redefinition of 'struct vrt_backend'
/usr/local/include/varnish/vrt.h:310: error: redefinition of 'struct vrt_backend_probe'
/usr/local/include/varnish/vrt.h:322: error: redefinition of 'struct vrt_ref'
/usr/local/include/varnish/vrt.h:336: error: redefinition of typedef 'acl_match_f'
/usr/local/include/varnish/vrt.h:336: error: previous declaration of 'acl_match_f' was here
/usr/local/include/varnish/vrt.h:338: error: redefinition of 'struct vrt_acl'
/usr/local/include/varnish/vrt.h:359: error: nested redefinition of 'enum gethdr_e'
/usr/local/include/varnish/vrt.h:359: error: redeclaration of 'enum gethdr_e'
/usr/local/include/varnish/vrt.h:360: error: redeclaration of enumerator 'HDR_REQ'
/usr/local/include/varnish/vrt.h:360: error: previous definition of 'HDR_REQ' was here
/usr/local/include/varnish/vrt.h:361: error: redeclaration of enumerator 'HDR_REQ_TOP'
/usr/local/include/varnish/vrt.h:361: error: previous definition of 'HDR_REQ_TOP' was here
/usr/local/include/varnish/vrt.h:362: error: redeclaration of enumerator 'HDR_RESP'
/usr/local/include/varnish/vrt.h:362: error: previous definition of 'HDR_RESP' was here
/usr/local/include/varnish/vrt.h:363: error: redeclaration of enumerator 'HDR_OBJ'
/usr/local/include/varnish/vrt.h:363: error: previous definition of 'HDR_OBJ' was here
/usr/local/include/varnish/vrt.h:364: error: redeclaration of enumerator 'HDR_BEREQ'
/usr/local/include/varnish/vrt.h:364: error: previous definition of 'HDR_BEREQ' was here
/usr/local/include/varnish/vrt.h:366: error: redeclaration of enumerator 'HDR_BERESP'
/usr/local/include/varnish/vrt.h:366: error: previous definition of 'HDR_BERESP' was here
/usr/local/include/varnish/vrt.h:368: error: redefinition of 'struct gethdr_s'
/usr/local/include/varnish/vrt.h:434: error: redefinition of typedef 'vmod_event_f'
/usr/local/include/varnish/vrt.h:434: error: previous declaration of 'vmod_event_f' was here
/usr/local/include/varnish/vrt.h:436: error: redefinition of typedef 'vmod_priv_free_f'
/usr/local/include/varnish/vrt.h:436: error: previous declaration of 'vmod_priv_free_f' was here
/usr/local/include/varnish/vrt.h:437: error: redefinition of 'struct vmod_priv'
In file included from vmod_vsf.c:37:
/usr/local/include/varnish/vsa.h:44: error: expected declaration specifiers or '...' before 'socklen_t'
vmod_vsf.c: In function 'vsf_iter_req_body':
vmod_vsf.c:98: warning: implicit declaration of function 'VSB_bcat'
vmod_vsf.c: In function '__match_proto__':
vmod_vsf.c:104: error: expected declaration specifiers before 'vmod_body'
vmod_vsf.c:149: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'vmod_conn_reset'
vmod_vsf.c:168: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'vmod_urldecode'
vmod_vsf.c:192: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'vmod_normalize'
vmod_vsf.c:235: warning: type of 'td_vsf_body' defaults to 'int'
vmod_vsf.c:235: error: expected '{' at end of input
gmake[3]: *** [Makefile:651: libvmod_vsf_la-vmod_vsf.lo] Error 1
gmake[3]: Leaving directory '/root/work/varnish-vmods/VSF/libvmod-vsf/src'
gmake[2]: *** [Makefile:465: all-recursive] Error 1
gmake[2]: Leaving directory '/root/work/varnish-vmods/VSF/libvmod-vsf'
gmake[1]: *** [Makefile:376: all] Error 2
gmake[1]: Leaving directory '/root/work/varnish-vmods/VSF/libvmod-vsf'
gmake: *** [Makefile:12: libvmod-vsf/src/.libs/libvmod-vsf.so] Error 2

Limit requests not per IP, but to vhost

Hello,
I would like to ask you if there is away through VSF/throttle or shield limit xmlrpc queries, but not only from one IP but to vhost, for example if there is limit 15 - and these 15 queries are from different IP-s to be blocked. Now they are blocked only if these 15 requests are reached from one IP. This is the current configuration:

f ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("ip:" + client.ip, "10req/s") > 0s) {
error 429 "Calm down";
shield.conn_reset();
}
}

For example, can I use some variable instead of client.ip that points not 15 queries from the source IP, but 15 total requests from any IP to the vhost (without actually to write a different block for every vhost).
Thank you in advamce.

omitting directory vcl/rules

Building for Varnish 4.1 and getting this error with make install

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[3]: Leaving directory '/root/VSF/libvmod-vsthrottle/src'
make[2]: Leaving directory '/root/VSF/libvmod-vsthrottle/src'
make[2]: Entering directory '/root/VSF/libvmod-vsthrottle'
make[3]: Entering directory '/root/VSF/libvmod-vsthrottle'
make[3]: Nothing to be done for 'install-exec-am'.
 /bin/mkdir -p '/usr/local/share/doc/libvmod-vsthrottle'
 /usr/bin/install -c -m 644 README.rst LICENSE '/usr/local/share/doc/libvmod-vsthrottle'
 /bin/mkdir -p '/usr/local/share/man/man3'
 /usr/bin/install -c -m 644 vmod_vsthrottle.3 '/usr/local/share/man/man3'
make[3]: Leaving directory '/root/VSF/libvmod-vsthrottle'
make[2]: Leaving directory '/root/VSF/libvmod-vsthrottle'
make[1]: Leaving directory '/root/VSF/libvmod-vsthrottle'
install -o root -g root -d /etc/varnish/security
install -o root -g root -D vcl/rules /etc/varnish/security
install: omitting directory ‘vcl/rules’
Makefile:28: recipe for target 'install' failed
make: *** [install] Error 1

I can copy them manually but just thought I'd let you know

cp -r rules /etc/varnish/security/

libvmod-vsf' vmod_body should handle multipart/form-data

Maybe.

Varnish 4 compatability?

Is VSF compatible with Varnish 4?

Panic using VSF with Varnish plus 4.1

Hi there !
Would you please look at the trace included. I would love to continue using VSF with varnish plus unfortunately varnish plus is going crazy with vsf module.

Last panic at: Mon, 11 Apr 2016 14:42:31 GMT
"Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 282:
Condition(Segmentation fault by instruction at 0x18) not true.
thread = (cache-worker)
version = varnish-plus-4.1.2r1 revision 4d86388
ident = Linux,2.6.32-573.12.1.el6.x86_64,x86_64,-junix,-smse,-smalloc,-hcritbit,epoll
Backtrace:
0x439a53: pan_ic+0x163
0x459afa: varnishd() [0x459afa]
0x3ff5a0f790: libpthread.so.0() [0x3ff5a0f790]
0x431704: http_findhdr+0x14
0x431872: http_GetHdr+0x62
0x7f9d75174b4d: libvmod_vsf.so(vmod_body+0x8d) [0x7f9d75174b4d]
0x7f9d787d2d90: vgc.so(VGC_function_vcl_recv+0x1e0) [0x7f9d787d2d90]
0x446524: vcl_call_method+0x1e4
0x4468ea: VCL_recv_method+0x5a
0x43e2ca: CNT_Request+0x79a
req = 0x7f9ffe9a1020 {
vxid = 32770, step = R_STP_RECV,
req_body = R_BODY_NONE,
restarts = 0, esi_level = 0,
sp = 0x7f9ffd822220 {
fd = 23, vxid = 32769,
client = 10.102.4.5 25687,
step = S_STP_H1PROC,
},
worker = 0x7f9ffddd9b40 {
stack = {0x7f9ffddda000 -> 0x7f9ffddce000},
ws = 0x7f9ffddd9d38 {
id = \"wrk\",
{s,f,r,e} = {0x7f9ffddd92c0,0x7f9ffddd92c0,(nil),+2040},
},
VCL::method = inside RECV,
VCL::return = abandon,
VCL::methods = {RECV},
},
ws = 0x7f9ffe9a1210 {
id = \"req\",
{s,f,r,e} = {0x7f9ffe9a3010,+304,(nil),+57320},
},
http_conn = 0x7f9ffe9a1128 {
pfd = 0x7f9ffd822230(23),
doclose = NULL,
ws = 0x7f9ffe9a1210,
{rxbuf_b, rxbuf_e} = {0x7f9ffe9a3010, 0x7f9ffe9a3050},
{pipeline_b, pipeline_e} = {(nil), (nil)},
content_length = -1,
body_status = none,
first_byte_timeout = 0.000000,
between_bytes_timeout = 0.000000,
},
http[req] = 0x7f9ffe9a12a8 {
ws[req] = 0x7f9ffe9a1210,
hdrs {
\"HEAD\",
\"/is-alive\",
\"HTTP/1.1\",
\"User-agent: LB-Check\",
\"Host: haproxy\",
\"X-Forwarded-For: XX.XX.XX.XX\",
\"X-VSF-Actual-IP: XX.XX.XX.XX\",
\"X-VSF-ClientIP: XX.XX.XX.XX\",
\"X-VSF-Method: HEAD\",
\"X-VSF-Proto: HTTP/1.1\",
\"X-VSF-UA: LB-Check\",
\"X-VSF-URL: /is-alive\",
},
},
vcl = {
temp = warm
srcname = {
\"/etc/varnish/default.vcl\",
\"Builtin\",
\"/etc/varnish/security/vsf.vcl\",
\"/etc/varnish/security/build/variables.vcl\",
\"/etc/varnish/security/local.vcl\",
\"/etc/varnish/security/config.vcl\",
\"/etc/varnish/security/rules/protocol.vcl\",
\"/etc/varnish/security/rules/paths.vcl\",
\"/etc/varnish/security/rules/generic.vcl\",
\"/etc/varnish/security/rules/sql.vcl\",
\"/etc/varnish/security/rules/sql.encoded.vcl\",
\"/etc/varnish/security/rules/xss.vcl\",
\"/etc/varnish/security/rules/xss.encoded.vcl\",
\"/etc/varnish/security/rules/demo.vcl\",
\"/etc/varnish/security/rules/php.vcl\",
\"/etc/varnish/security/rules/cmd.vcl\",
\"/etc/varnish/security/rules/restricted-file-extensions.vcl\",
\"/etc/varnish/security/rules/content-encoding.vcl\",
\"/etc/varnish/security/rules/content-type.vcl\",
\"/etc/varnish/security/rules/localfiles.vcl\",
\"/etc/varnish/security/build/variables.vcl\",
\"/etc/varnish/security/handlers.vcl\",
\"/etc/varnish/rsr.vcl\",
\"/etc/varnish/tsr.vcl\",
\"/etc/varnish/marts.vcl\",
\"/etc/varnish/vcs_deliver.vcl\",
\"/etc/varnish/error_page.vcl\",
\"/etc/varnish/403_page.vcl\",
},
},
flags = {
},
},

Many thanks in advance for your support !

Jef

cmd changes

I have been doing pentesting today with command lines and can confirm you need a whitespace or %20. I would recommend adding an rm check too. Here is my attempt at a pull request for 3.0 and 4.0

blindpet@50ccfc1
blindpet@fd86e21

packages

distribution specific packages for

RHEL6 / 7
debian + ubuntu ppa
FreeBSD ports

Absolute instead of relative paths for vcl

The current varnish 4.1 repo is not working for me so I had to build from source so I could use VSF

Following my regular guide I usually do but I get this error

Message from VCC-compiler:
Cannot read file 'security/config.vcl' (No such file or directory)
('/etc/varnish/security/vsf.vcl' Line 56 Pos 9)
include "security/config.vcl";
--------#####################-

I can see that it is there

find / -iname variables.vcl
/etc/varnish/security/build/variables.vcl

libvmod-vsf' vmod_urldecode() should handle UTF-8

SSIA

throttle and shield sets no per ip limit, but global instead

Hello, I want to block xmlrpc and wp-login requests only for IP that floods and exceed the requests in secon, but when other people from other IPs opens the wp-login.php to be not affected as it's not. This is my configuration as it should be only per IP, but the limits actually are for all IPs that opens wp-login:

if(throttle.is_allowed("ip:" +req.http.X-Actual-IP, "45req/s") > 0s && (req.url ~ "xmlrpc.php|wp-login.php")) {
error 429 "Calm down";
shield.conn_reset();
}

My question is why and how can I change it so the blocked IP to be only the ip that exceeds the requests, not all IP that opens wp-login.php. Thank you in advance.

error while build "libvmod-vsf" on ubuntu 14.04

$> ./autogen.sh

aclocal -I m4 -I /usr/share/aclocal
libtoolize --copy --force
libtoolize: putting auxiliary files in .'. libtoolize: copying file./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, m4'. libtoolize: copying filem4/libtool.m4'
libtoolize: copying file m4/ltoptions.m4' libtoolize: copying filem4/ltsugar.m4'
libtoolize: copying file m4/ltversion.m4' libtoolize: copying filem4/lt~obsolete.m4'
autoheader
automake --add-missing --copy --foreign
autoconf

$> ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for gcc option to accept ISO C99... -std=gnu99
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc -std=gnu99... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc -std=gnu99 object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -std=gnu99 -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc -std=gnu99 supports -fno-rtti -fno-exceptions... no
checking for gcc -std=gnu99 option to produce PIC... -fPIC -DPIC
checking if gcc -std=gnu99 PIC flag -fPIC -DPIC works... yes
checking if gcc -std=gnu99 static flag -static works... yes
checking if gcc -std=gnu99 supports -c -o file.o... yes
checking if gcc -std=gnu99 supports -c -o file.o... (cached) yes
checking whether the gcc -std=gnu99 linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for python3... /usr/bin/python3
checking for rst2man... /usr/bin/rst2man
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking vsha256.h usability... yes
checking vsha256.h presence... yes
checking for vsha256.h... yes
checking cache/cache.h usability... yes
checking cache/cache.h presence... yes
checking for cache/cache.h... yes
checking for varnishtest... /usr/bin/varnishtest
checking for varnishd... /usr/sbin/varnishd
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands

$> make
make all-recursive
make[1]: Entering directory /opt/VSF/libvmod-vsf' Making all in src make[2]: Entering directory/opt/VSF/libvmod-vsf/src'
/usr/bin/python3 /usr/share/varnish/vmodtool.py ../src/vmod.vcc
Traceback (most recent call last):
File "/usr/share/varnish/vmodtool.py", line 924, in
runmain(i_vcc)
File "/usr/share/varnish/vmodtool.py", line 840, in runmain
i.parse(vx)
File "/usr/share/varnish/vmodtool.py", line 721, in parse
o = parse_func(self)
File "/usr/share/varnish/vmodtool.py", line 644, in parse_func
raise Exception("ARG? %s", t.str)
Exception: ('ARG? %s', 'PRIV_TASK')
make[2]: *** [vcc_if.h] Error 1
make[2]: Leaving directory /opt/VSF/libvmod-vsf/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory/opt/VSF/libvmod-vsf'
make: *** [all] Error 2

$> autoconf -V
autoconf (GNU Autoconf) 2.69

Centos 6 + VSF + Varnish 4.1

Hi guys,

any hint on how can I past this error?

bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../../utf8proc -std=c99 -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo test -f 'vmod_vsf.c' || echo './'vmod_vsf.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../../utf8proc -std=c99 -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
vmod_vsf.c: In function ‘vmod_body’:
vmod_vsf.c:134: warning: implicit declaration of function ‘strncasecmp’
vmod_vsf.c: In function ‘vmod_normalize’:
vmod_vsf.c:206: error: ‘utf8proc_ssize_t’ undeclared (first use in this function)
vmod_vsf.c:206: error: (Each undeclared identifier is reported only once
vmod_vsf.c:206: error: for each function it appears in.)
vmod_vsf.c:206: error: expected ‘;’ before ‘len’
vmod_vsf.c:224: error: ‘len’ undeclared (first use in this function)
vmod_vsf.c:224: error: ‘utf8proc_uint8_t’ undeclared (first use in this function)
vmod_vsf.c:224: error: expected expression before ‘)’ token
vmod_vsf.c:225: error: too few arguments to function ‘utf8proc_decompose’
vmod_vsf.c:234: error: ‘utf8proc_int32_t’ undeclared (first use in this function)
vmod_vsf.c:234: error: expected expression before ‘)’ token
vmod_vsf.c:234: error: too few arguments to function ‘utf8proc_reencode’
make[2]: *** [libvmod_vsf_la-vmod_vsf.lo] Error 1
make[2]: Leaving directory /root/vmod/VSF/libvmod-vsf/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory/root/vmod/VSF/libvmod-vsf'
make: *** [all] Error 2

feature request: whitelist ip address

Hi,

I think adding whitelisted ip address is good for VSF, especially for front-backend setup and dos.vcl.

Please also check:
https://puszcza.gnu.org.ua/software/vmod-remoteip/

Compiling on Ubuntu 20.04

Hi,

First of all, I would like to thank you for the great work. Your VSF module has become an indispensable tool on our web platforms.
However, we are currently reinstalling all our Redhat based servers with Ubuntu.

But unfortunately, we are not able to compile the module anymore. The make command ends up with the following error:

make[3]: Entering directory '/root/install/VSF/libvmod-vsf/src'
/bin/bash ../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..    -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c  -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
In file included from /usr/include/varnish/cache/cache_varnishd.h:32,
                 from vmod_vsf.c:34:
/usr/include/varnish/cache/cache.h:202:1: warning: data definition has no type or storage class
  202 | VRBT_HEAD(vrt_priv_tree,vrt_priv);
      | ^~~~~~~~~
/usr/include/varnish/cache/cache.h:202:1: warning: type defaults to ‘int’ in declaration of ‘VRBT_HEAD’ [-Wimplicit-int]
/usr/include/varnish/cache/cache.h:202:1: warning: parameter names (without types) in function declaration
/usr/include/varnish/cache/cache.h:207:23: error: field ‘privs’ has incomplete type
  207 |  struct vrt_priv_tree privs;
      |                       ^~~~~
vmod_vsf.c: In function ‘vmod_body’:
vmod_vsf.c:117:28: warning: passing argument 2 of ‘VRB_Iterate’ from incompatible pointer type [-Wincompatible-pointer-types]
  117 |  if (VRB_Iterate(ctx->req, vsf_iter_req_body, vsb) == -1) {
      |                            ^~~~~~~~~~~~~~~~~
      |                            |
      |                            int (*)(void *, int,  const void *, ssize_t) {aka int (*)(void *, int,  const void *, long int)}
In file included from vmod_vsf.c:34:
/usr/include/varnish/cache/cache_varnishd.h:351:49: note: expected ‘int (*)(void *, unsigned int,  const void *, ssize_t)’ {aka ‘int (*)(void *, unsigned int,  const void *, long int)’} but argument is of type ‘int (*)(void *, int,  const void *, ssize_t)’ {aka ‘int (*)(void *, int,  const void *, long int)’}
  351 | ssize_t VRB_Iterate(struct req *, objiterate_f *func, void *priv);
      |                                   ~~~~~~~~~~~~~~^~~~
make[3]: *** [Makefile:670: libvmod_vsf_la-vmod_vsf.lo] Error 1
make[3]: Leaving directory '/root/install/VSF/libvmod-vsf/src'
make[2]: *** [Makefile:474: all-recursive] Error 1
make[2]: Leaving directory '/root/install/VSF/libvmod-vsf'
make[1]: *** [Makefile:385: all] Error 2
make[1]: Leaving directory '/root/install/VSF/libvmod-vsf'
make: *** [Makefile:12: libvmod-vsf/src/.libs/libvmod-vsf.so] Error 2

Do you have an idea how we can solve this issue?

Very many thanks in advance,

Best regards.

Patrick

Please update submodules libvmod-parsereq and libvmod-urlcode

The included ref of submodule libvmod-parsereq segfaults with varnish 3.0.4, this is fixed when including from the current master branch.

libvmod-unicode has fixed a segfault issue as well.

VSF log

Where to find log file of VSF?

I may need fail2ban to scan it. :)

Thank you!

new errors 4.0 branch

Should probably create an empty local.vcl

Cannot read file '/etc/varnish/security/local.vcl': No such file or directory
('/etc/varnish/security/vsf.vcl' Line 13 Pos 9)
include "/etc/varnish/security/local.vcl";
--------#################################-

Forgot to uncomment this line

Message from VCC-compiler:
Syntax error at
('/etc/varnish/security/rules/protocol.vcl' Line 33 Pos 5)
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
----#-------------------------------------------------------

Not sure how to fix this besides just commenting it out

Error:
Message from VCC-compiler:
Function sec_throttle redefined
('/etc/varnish/security/vsf.vcl' Line 156 Pos 5)
sub sec_throttle {
----############--

Error Installing on Centos 7 and Varnish 4.0.3 compliled from source

cd opt/
git clone https://github.com/comotion/VSF.git
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
cd VSF/
make

...
/configure: line 11523: VARNISH_VMOD_INCLUDES: command not found
./configure: line 11524: VARNISH_VMOD_DIR: command not found
./configure: line 11525: VARNISH_VMODTOOL: command not found
checking for varnishtest... /usr/local/bin/varnishtest
checking for varnishd... /usr/local/sbin/varnishd
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
make[1]: Entering directory /opt/VSF/libvmod-vsf' make all-recursive make[2]: Entering directory/opt/VSF/libvmod-vsf'
Making all in src
make[3]: Entering directory `/opt/VSF/libvmod-vsf/src'
/usr/bin/python2.7 ../src/vmod.vcc
File "../src/vmod.vcc", line 27
$Module vsf 3 Varnish Security Firewall
...

Unused sub sec_robot, defined:

First of all thanks for such nice work and keep it updated.

I am on Ubuntu 20.04 + varnish 6.6.1.

There is a problem:

Nov 17 15:45:42 ovh varnishreload[4085150]: Message from VCC-compiler:
Nov 17 15:45:42 ovh varnishreload[4085150]: Unused sub sec_robot, defined:
Nov 17 15:45:42 ovh varnishreload[4085150]: ('/etc/varnish/security/rules/robots.vcl' Line 15 Pos 5)
Nov 17 15:45:42 ovh varnishreload[4085150]: sub sec_robot {
Nov 17 15:45:42 ovh varnishreload[4085150]: ----#########--
Nov 17 15:45:42 ovh varnishreload[4085150]: Running VCC-compiler failed, exited with 2
Nov 17 15:45:42 ovh varnishreload[4085150]: VCL compilation failed
Nov 17 15:45:42 ovh varnishreload[4085150]: Command failed with error code 106

Can you check it?

Thank you.

Only checking first variable?

Hi There,

I am currently experimenting with VSF on a development server and am finding that it only catches malicious content if it was put in the first field of a form.

Something like this for example:

<script>alert(1);</script>

Causes a 403 to be returned if put in the very first element of any form that I have tested. If I put that in any other field, VSF ignores it.

Is anyone else seeing similar behaviour or have I just set something up wrong? Currently I have a completely out-of-the-box config and just followed the install instructions from here. No other changes have been made.

Any help of advice would be greatly appreciated! Thanks!

Noob Installation Instructions?

Hi,

Can you update your instructions with Step by Step for noobs like me.

I found this installation tutorial for CentOS 6.

http://www.screwloose.com.au/install-varnish-3-0-with-vsf-varnish-security-firewall-on-centos-6

But I am not sure if the steps are complete since some of the VMods have their own "Make" file. Please advice.

Relative include paths cause VCL compilation error

Setup:

Varnish-4.1.0 revision 3041728
VSF (master ea07f16)
Ubuntu 14.04

Recent changes to the VSF VCL files appear to have introduced relative VCL path includes.
I have a basic fresh install of Varnish and the VSF mod, having only added the VSF include at the top of /etc/varnish/default.vcl per the installation instructions.

vcl 4.0;

include "/etc/varnish/security/vsf.vcl";

...

When running Varnish I receive a VCL compilation error:

$ sudo varnishd -f /etc/varnish/default.vcl
Error:
Message from VCC-compiler:
Cannot read file 'build/variables.vcl': No such file or directory
('/etc/varnish/security/vsf.vcl' Line 10 Pos 9)
include "build/variables.vcl";
--------#####################-

Running VCC-compiler failed, exited with 2
VCL compilation failed

To fix I have prefixed each include path in vsf.vcl and config.vcl with the "security" symlink.

EG:

include "security/build/variables.vcl";

include "security/local.vcl";

Is there another way to approach this which does not involve altering the include paths, or is this an actual issue?

Thanks

Is this project alive?!

Hi,
Is this project alive?!
I'm interesting in it.

Thanks in advance for the answer.

VSF 6.6 branch?

Please put back 6.6 branch.

Ubuntu 22.04 comes with varnish 6.6 by default.

Thanks!

comotion / vsf Goto Github PK

vsf's People

Contributors

Stargazers

Watchers

Forkers

vsf's Issues

Recommend Projects

Recommend Topics

Recommend Org