comotion / vsf Goto Github PK
View Code? Open in Web Editor NEWVarnish Security Firewall
License: Other
Varnish Security Firewall
License: Other
Please see issue #2136 on varnish-cache:
varnishcache/varnish-cache#2136
When sending a POST request to an special URL - the cache-worker child panics - and it seems to be related the VSF - as when I remove the VSF include I am unable to reproduce the problem.
Please let me know what you require in order to debug this further.
Thanks!
Hello, I built varnish 4 from source with vsf and want to accomplish the following throttling:
Limit from 100 concurrent requests from IP. On the 101th request the connection to be dropped. I tried the following configuration which works by totally different way which I will explain below:
sub vcl_recv {
if (vsthrottle.is_denied(client.identity, 100, 0s)) {
# Client has exceeded 15 reqs per 10s
return (synth(429, "Too Many Requests"));
}
}
Tried also with 1s instead of 0s (then it doesn't throttle at all).
Tried also the following, but one request is ok, on the second refresh the request is throttled instead 100 requests to be ok, the 101th to be throttled.
if (vsthrottle.is_denied(req.http.X-Actual-IP, 100, 0s)) {
What is wrong with the configuration and how can I achieve this throttling way I want?
Thank you in advance.
Ideally tests should be done with varnishtest.
I have been testing VSF with Varnish 4.1 and Wordpress and get some false positives. In your cmd.vcl the cat (third curl) is greedy and captures category. I have modified it to be
if (req.url ~ "(=|;|&&|%7C%7C)cat.+(?:egory)")
but there may be a better way.
Also echo and cat are mislabeled as curl for the X-VSF-RuleName in cmd.vcl
I can't compile vsf on varnish 3 with a lot of probes. Here are ll my steps and the error I see:
2 yum install docutils pcre-devel gcc* git nano -y
3 wget http://repo.varnish-cache.org/source/varnish-3.0.3.tar.gz
4 rm varnish-3.0.3.tar.gz
5 cd /usr/local/src
7 wget http://repo.varnish-cache.org/source/varnish-3.0.3.tar.gz
8 tar xvvf varnish-3.0.3.tar.gz
12 cd varnish-3.0.3/
13 ./configure
14 make
15 make install
16 varnishd -V
17 cd -
18 git clone https://github.com/comotion/VSF.git
19 cd VSF/
20 git clone https://github.com/fastly/libvmod-urlcode.git
21 git clone https://github.com/nand2/libvmod-throttle.git
22 git clone https://github.com/xcir/libvmod-parsereq.git
23 git clone https://github.com/varnish/libvmod-shield.git
24 for mod in parsereq urlcode shield throttle; do cd libvmod-$mod; ./autogen.sh && VARNISHSRC=/usr/local/src/varnish-3.0.3 VMODDIR=/usr/lib64/varnish/vmods ./configure && make -j3; make install; cd -; done
make[1]: Entering directory /usr/local/src/VSF/libvmod-urlcode/src' make[1]: *** No rule to make target
@VMODTOOL@', needed by vcc_if.c'. Stop. make[1]: Leaving directory
/usr/local/src/VSF/libvmod-urlcode/src'
make: *** [install-recursive] Error 1
Then I installed varnish-libs and varnish-libs-devel from here:
https://repo.varnish-cache.org/redhat/varnish-3.0/el6/x86_64/varnish/
BUT I see again the error for VMODTOOLS and can't fix this - why?
Setup:
I seem to have encountered a buffer overflow in vmod_normalize() relating to utf8proc_decompose().
Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 297:
Condition(Segmentation fault by instruction at 0x7fd277225738) not true.
Not being an expert in either VSF, utf8proc or even C, my assumptions may be incorrect. At minimum I do receive an panic which crashes the varnish child when it is encountered.
To reproduce:
echo -e "HTTP/1.1 200 OK\n\n" | nc -l localhost 8080
$ sudo varnishd -d -f /etc/varnish/default.vcl -T localhost:6092
Platform: Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit
200 283
-----------------------------
Varnish Cache CLI 1.0
-----------------------------
Linux,3.13.0-66-generic,x86_64,-junix,-smalloc,-smalloc,-hcritbit
varnish-4.1.0 revision 3041728
Type 'help' for command list.
Type 'quit' to close CLI session.
Type 'start' to launch worker process.
start
child (26635) Started
200 0
Child (26635) said Child starts
dd if=/dev/urandom of=file.txt bs=1024 count=70
curl --data-urlencode @file.txt http://localhost
The varnish child then crashes and produces the error mentioned above.
I think I have narrowed down the cause to the following line in vmod_normalize():
len = utf8proc_decompose((utf8proc_uint8_t *)s, 0 /* IGNORED */,
(utf8proc_int32_t *)p, u, options);
I think the problem is that WS_Reserve() returns the available buffer space in bytes, which is then stored in u. However, utf8proc_decompose() is looking for a buffer with a length specified in utf8proc_int32_t, not in bytes. This call will also clobber the magic number stored in ctx->ws->e, which I think marks the end of the available workspace.
I will issue a pull request shortly for my proposed fix, as there is more that needs to change since correcting the buffer size issue does not completely fix it.
Thanks
is it possible to build vanirsh6.2?
Centos7
Varnish6.2
Python 3.6.3
I have got following error.
/bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/local/varnish/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/local/varnish/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
In file included from /usr/local/varnish/include/varnish/cache/cache_varnishd.h:32:0,
from vmod_vsf.c:34:
/usr/local/varnish/include/varnish/cache/cache.h:202:1: warning: data definition has no type or storage class [enabled by default]
VRBT_HEAD(vrt_priv_tree,vrt_priv);
^
/usr/local/varnish/include/varnish/cache/cache.h:202:1: warning: type defaults to 'int' in declaration of 'VRBT_HEAD' [enabled by default]
/usr/local/varnish/include/varnish/cache/cache.h:202:1: warning: parameter names (without types) in function declaration [enabled by default]
/usr/local/varnish/include/varnish/cache/cache.h:207:23: error: field 'privs' has incomplete type
struct vrt_priv_tree privs;
^
vmod_vsf.c: In function 'vmod_body':
vmod_vsf.c:117:2: warning: passing argument 2 of 'VRB_Iterate' from incompatible pointer type [enabled by default]
if (VRB_Iterate(ctx->req, vsf_iter_req_body, vsb) == -1) {
^
In file included from vmod_vsf.c:34:0:
/usr/local/varnish/include/varnish/cache/cache_varnishd.h:351:9: note: expected 'int (*)(void *, unsigned int, const void *, ssize_t)' but argument is of type 'int (*)(void *, int, const void *, ssize_t)'
ssize_t VRB_Iterate(struct req *, objiterate_f *func, void *priv);
VSF needs to work on Varnish 4.0. Port the VCL first, then the vmods.
I believe it is not designed for h2?
Varnish 4.0 is supported (albeit without body inspection) in the 4.0 branch.
line 7:
if (req.http.User-Agent ~ "(i)
shall be:
if (req.http.User-Agent ~ "(?i)
Trying to build with Varnish 4.1 and getting this error, instructions are the same as I used last time I tested
make all-recursive
make[1]: Entering directory '/root/VSF/libvmod-vsf'
Making all in src
make[2]: Entering directory '/root/VSF/libvmod-vsf/src'
/bin/bash ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
vmod_vsf.c:60:22: fatal error: utf8proc.h: No such file or directory
#include <utf8proc.h>
^
compilation terminated.
Makefile:638: recipe for target 'libvmod_vsf_la-vmod_vsf.lo' failed
make[2]: *** [libvmod_vsf_la-vmod_vsf.lo] Error 1
make[2]: Leaving directory '/root/VSF/libvmod-vsf/src'
Makefile:453: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
Hi,
Running make in the vcl sub-dir fails:
[...]
rules/user-agent.vcl: || req.http.user-agent == "VadixBot"
rules/user-agent.vcl: || req.http.user-agent == "WebVulnCrawl.blogspot.com/1.0 libwww-perl/5.803"
rules/user-agent.vcl: || req.http.user-agent == "Wells Search II"
rules/user-agent.vcl: || req.http.user-agent == "WEP Search 00"
*** Failed target: check
*** Failed command: ../tools/check_variables
*** Error code 1
Stop.
make: stopped in /root/work/varnish-vmods/VSF/vcl
Global:.ERROR_TARGET = check
Applying[MAKE_PRINT_VAR_ON_ERROR] :@ to ""
Modifier pattern: "v"
Modifier pattern: "$v='${$v}'
"
Result[MAKE_PRINT_VAR_ON_ERROR] of :@ is ""
Hello,
utf8proc has released new version 2.7.0:
Unicode 14 support ([#233]).
Support GNUInstallDirs in CMake build ([#159]).
cmake build now installs pkg-config file ([#224]).
Various build and portability improvements.
make && make install is ok
varnishd -C -f /etc/varnish/default.vcl
Could not delete 'vcl_boot.1639807852.042728/vgc.sym': No such file or directory
Message from VCC-compiler:
Could not open VMOD vsf
File name: /root/VSF-6.6/libvmod-vsf/src/.libs/libvmod_vsf.so
dlerror: /root/VSF-6.6/libvmod-vsf/src/.libs/libvmod_vsf.so: cannot open shared object file: Permission denied
('/etc/varnish/security/vsf.vcl' Line 7 Pos 8)
import vsf from "/root/VSF-6.6/libvmod-vsf/src/.libs/libvmod_vsf.so";
-------###-----------------------------------------------------------
Running VCC-compiler failed, exited with 2
VCL compilation failed
Hi there,
I'm using the 4.0 branch of the VSF.
Unfortunately I can't figure out how to make the honeypot backend working.
The request got restarted and never reach the backend specified as sec_honey.
Here is the varnishlog output:
<< Request >> 32774
- Begin req 32773 rxreq
- Timestamp Start: 1455876150.014326 0.000000 0.000000
- Timestamp Req: 1455876150.014326 0.000000 0.000000
- ReqStart 10.102.68.87 38960 10.102.68.87 38960
- ReqMethod GET
- ReqURL /SELECT%20*%20FROM
- ReqProtocol HTTP/1.1
- ReqHeader User-Agent: curl/7.39.0
- ReqHeader Accept: */*
- ReqHeader Host: www.pres01.ecestage.rts.ch
- ReqHeader X-Forwarded-For: 10.102.68.87
- VCL_call RECV
- ReqHeader X-VSF-Actual-IP: 10.102.68.87
- ReqHeader X-VSF-ClientIP: 10.102.68.87
- ReqHeader X-VSF-Method: GET
- ReqHeader X-VSF-Proto: HTTP/1.1
- ReqHeader X-VSF-UA: curl/7.39.0
- ReqHeader X-VSF-URL: /SELECT * FROM
- ReqHeader X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
- ReqHeader X-VSF-Restarted: restarted
- ReqHeader X-VSF-Module: sql
- ReqHeader X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
- ReqHeader X-VSF-RuleID: 1
- ReqHeader X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
- ReqHeader X-VSF-Severity: 1
- ReqHeader X-VSF-Rule: sql-1
- ReqHeader X-VSF-Response:
- Debug "VCL_error(803, Sexy Honey)"
- VCL_return synth
- VCL_call HASH
- VCL_return lookup
- Timestamp Process: 1455876150.014493 0.000167 0.000167
- RespHeader Date: Fri, 19 Feb 2016 10:02:30 GMT
- RespHeader Server: Varnish
- RespHeader X-Varnish: 32774
- RespProtocol HTTP/1.1
- RespStatus 803
- RespReason Unknown HTTP Status
- RespReason Sexy Honey
- VCL_call SYNTH
- VCL_Log security.vcl alert xid:32774 HTTP/1.1 [sql-1][10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0) (SQL Injection Attempt: SELECT FROM)
- ReqUnset X-VSF-Response:
- ReqHeader X-VSF-Response: honeypot me
- VCL_return restart
- Timestamp Restart: 1455876150.014527 0.000201 0.000033
- Link req 32775 restart
- End
* << Request >> 32775
- Begin req 32774 restart
- Timestamp Start: 1455876150.014527 0.000201 0.000000
- ReqStart 10.102.68.87 38960 10.102.68.87 38960
- ReqMethod GET
- ReqURL /SELECT%20*%20FROM
- ReqProtocol HTTP/1.1
- ReqHeader User-Agent: curl/7.39.0
- ReqHeader Accept: */*
- ReqHeader Host: www.pres01.ecestage.rts.ch
- ReqHeader X-Forwarded-For: 10.102.68.87
- ReqHeader X-VSF-Actual-IP: 10.102.68.87
- ReqHeader X-VSF-ClientIP: 10.102.68.87
- ReqHeader X-VSF-Method: GET
- ReqHeader X-VSF-Proto: HTTP/1.1
- ReqHeader X-VSF-UA: curl/7.39.0
- ReqHeader X-VSF-URL: /SELECT * FROM
- ReqHeader X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
- ReqHeader X-VSF-Restarted: restarted
- ReqHeader X-VSF-Module: sql
- ReqHeader X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
- ReqHeader X-VSF-RuleID: 1
- ReqHeader X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
- ReqHeader X-VSF-Severity: 1
- ReqHeader X-VSF-Rule: sql-1
- ReqHeader X-VSF-Response: honeypot me
- VCL_call RECV
- ReqUnset X-VSF-Severity: 1
- ReqUnset X-VSF-Module: sql
- ReqUnset X-VSF-RuleID: 1
- ReqUnset X-VSF-Rule: sql-1
- ReqUnset X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
- ReqUnset X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
- ReqUnset X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
- ReqUnset X-VSF-Response: honeypot me
- ReqUnset X-VSF-ClientIP: 10.102.68.87
- ReqUnset X-VSF-Method: GET
- ReqUnset X-VSF-Proto: HTTP/1.1
- ReqUnset X-VSF-UA: curl/7.39.0
- ReqUnset X-VSF-URL: /SELECT * FROM
- ReqUnset X-VSF-Actual-IP: 10.102.68.87
- ReqHeader X-VSF-Actual-IP: 10.102.68.87
- ReqHeader X-VSF-ClientIP: 10.102.68.87
- ReqHeader X-VSF-Method: GET
- ReqHeader X-VSF-Proto: HTTP/1.1
- ReqHeader X-VSF-UA: curl/7.39.0
- ReqHeader X-VSF-URL: /SELECT * FROM
- ReqHeader X-VSF-Client: [10.102.68.87] www.pres01.ecestage.rts.ch/SELECT%20*%20FROM (curl/7.39.0)
- ReqUnset X-VSF-Restarted: restarted
- ReqHeader X-VSF-Restarted: restarted
- ReqHeader X-VSF-Module: sql
- ReqHeader X-VSF-RuleName: SQL Injection Attempt: SELECT FROM
- ReqHeader X-VSF-RuleID: 1
- ReqHeader X-VSF-RuleInfo: Checks if someone tries to use SQL statement in URL: SELECT FROM
- ReqHeader X-VSF-Severity: 1
- ReqHeader X-VSF-Rule: sql-1
- ReqHeader X-VSF-Response:
- Debug "VCL_error(803, Sexy Honey)"
- VCL_return synth
- VCL_call HASH
- VCL_return lookup
- Timestamp Process: 1455876150.014614 0.000288 0.000087
- RespHeader Date: Fri, 19 Feb 2016 10:02:30 GMT
- RespHeader Server: Varnish
- RespHeader X-Varnish: 32775
- RespProtocol HTTP/1.1
- RespStatus 803
- RespReason Unknown HTTP Status
- RespReason Sexy Honey
- VCL_call SYNTH
- RespHeader Content-Type: text/html; charset=utf-8
- VCL_return deliver
- RespHeader Content-Length: 10
- Debug "RES_MODE 2"
- RespHeader Connection: keep-alive
- Timestamp Resp: 1455876150.014665 0.000339 0.000051
- ReqAcct 107 0 107 183 10 193
- End
Add a note and use the utf8 [1] vmod to combat WAF evasion.
Installed this to protect mybb and getting a false positive for an sql injection when sending a message with this text
I've tried:
- System > Update Manager > Settings > Enable Community-maintained updates.
- Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.
No go, Sonarr doesn't show up.
One guy:
http://forums.openmediavault.org/index.php/Thread/6609-Sonarr-NzbDrone-1-0-Plugin/?postID=78771#post78771
Said to just to enable mono testing and not mono.
I can enable mono and have mono testing disabled. But I can't have mono disabled and have mono testning enable. If I enable testing the other mono enables to.
Varnishlog
- Timestamp ReqBody: 1448830967.845978 0.000147 0.000147
- ReqHeader X-VSF-Body: my_post_key=05559b8cafbc7789f72e7369c8d7e6a8&to=manne&bcc=&subject=Re%3A+Omv+guide&action=do_send&pmid=571&do=reply&options%5Bsavecopy%5D=1&options%5Breadreceipt%5D=1&message=%0D%0AI%27ve+tried%3A%0D%0A-+System+%3E+Update+Manager+%3E+Settings
- ReqHeader X-VSF-Client: [162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36)
- ReqUnset Accept-Encoding: gzip
- ReqHeader Accept-Encoding: gzip
- ReqHeader X-VSF-Module: sql
- ReqHeader X-VSF-RuleName: SQL Injection
- ReqHeader X-VSF-RuleID: sql.sql-11
- ReqHeader X-VSF-Rule: sql-sql.sql-11
- ReqHeader X-VSF-Response: Naughty, not nice!
- VCL_return synth
- VCL_call HASH
- VCL_return lookup
- Timestamp Process: 1448830967.846190 0.000359 0.000212
- RespHeader Date: Sun, 29 Nov 2015 21:02:47 GMT
- RespHeader Server: Varnish
- RespHeader X-Varnish: 1540392
- RespProtocol HTTP/1.1
- RespStatus 801
- RespReason Unknown HTTP Status
- RespReason Rejected
- VCL_call SYNTH
- VCL_Log security.vcl alert xid:1540392 HTTP/1.1 [sql-sql.sql-11][162.158.134.241] forum.htpcguides.com/private.php (Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36) (SQL Injection)
- RespStatus 403
- RespReason Forbidden
- RespReason Naughty, not nice!
- RespHeader Content-Type: text/html; charset=utf-8
- RespHeader Retry-After: 5
- VCL_return deliver
- RespHeader Content-Length: 278
- Storage malloc Transient
- Debug "RES_MODE 2"
- RespHeader Connection: keep-alive
- Timestamp Resp: 1448830967.846321 0.000490 0.000130
- ReqAcct 1327 968 2295 210 278 488
- End
Upon further testing it appears to not like the symbols in this text
About Sonarr:
I've tried:
- System > Update Manager > Settings > Enable Community-maintained updates.
- Enable Mono and Mono Testing: Omv > Omv-extras.org > Enable them both and save then apply.
No go, Sonarr doesn't show up.
Looking at more varnishlogs with the default rules, here is a false positive for google ads as a windows file
SessionOpen c 108.162.215.39 32699 :80
13 ReqStart c 108.162.215.39 32699 1813224171
13 RxRequest c GET
13 RxURL c //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
13 RxProtocol c HTTP/1.1
13 RxHeader c Host: www.htpcguides.com
13 RxHeader c Connection: Keep-Alive
13 RxHeader c Accept-Encoding: gzip
13 RxHeader c CF-IPCountry: CN
13 RxHeader c X-Forwarded-For: 111.206.36.6
13 RxHeader c CF-RAY: 23b1cb9beb4b20ae-LAX
13 RxHeader c X-Forwarded-Proto: http
13 RxHeader c CF-Visitor: {"scheme":"http"}
13 RxHeader c Accept: */*
13 RxHeader c Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7
13 RxHeader c Accept-Language: zh-cn, zh;q=0.5
13 RxHeader c User-Agent: Mozilla/4.0
13 RxHeader c CF-Connecting-IP: 111.206.36.6
13 VCL_call c recv error
13 VCL_call c hash
13 Hash c //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
13 Hash c www.htpcguides.com
13 VCL_return c hash
13 VCL_call c error
13 VCL_Log c vcl_error
13 VCL_Log c security.vcl alert xid:1813224171 HTTP/1.1 [-path.win-2][108.162.215.39] www.htpcguides.com//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js (Mozilla/4.0) (Windows File)
13 VCL_return c deliver
13 VCL_call c deliver deliver
13 TxProtocol c HTTP/1.1
13 TxStatus c 403
13 TxResponse c Naughty, not nice!
13 TxHeader c Server: Varnish
13 TxHeader c Content-Type: text/html; charset=utf-8
13 TxHeader c Retry-After: 5
13 TxHeader c Content-Length: 416
13 TxHeader c Accept-Ranges: bytes
13 TxHeader c Date: Sun, 25 Oct 2015 23:45:30 GMT
13 TxHeader c X-Varnish: 1813224171
13 TxHeader c Age: 0
13 TxHeader c Via: 1.1 varnish
13 TxHeader c Connection: close
13 TxHeader c X-Cache: MISS
13 Length c 416
13 ReqEnd c 1813224171 1445816730.184789658 1445816730.185124397 0.000099421 0.000262976 0.000071722
vmod_vsf.c:96:39: error: array type has incomplete element type ‘struct vmod_priv_methods’
96 | static const struct vmod_priv_methods vmod_body_methods[1] = {{
| ^~~~~~~~~~~~~~~~~
vmod_vsf.c:97:11: error: ‘VMOD_PRIV_METHODS_MAGIC’ undeclared here (not in a function); did you mean ‘VDI_METHODS_MAGIC’?
97 | .magic = VMOD_PRIV_METHODS_MAGIC,
| ^~~~~~~~~~~~~~~~~~~~~~~
| VDI_METHODS_MAGIC
vmod_vsf.c: In function ‘vmod_body’:
vmod_vsf.c:139:6: error: ‘struct vmod_priv’ has no member named ‘methods’
139 | priv->methods = vmod_body_methods;
| ^~
make[3]: *** [Makefile:671: libvmod_vsf_la-vmod_vsf.lo] Error 1
Also there is a problem since the dependencies require python-docutils which has been made obsolete by python3-docutils, and is no longer available for several Linux versions. Furthermore libvarnishapi-dev conflicts with varnish-dev, which is required for the OEM Varnish Modules package.
Any chance this could be updated to work with Varnish6 ?
/bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/local/include -I/usr/local/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/local/include -I/usr/local/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
In file included from vmod_vsf.c:35:
/usr/local/include/varnish/vrt.h:35:4: error: #error "vrt.h included after cache.h - they are inclusive"
/usr/local/include/varnish/vrt.h:39:4: error: #error "vrt.h included multiple times"
In file included from vmod_vsf.c:35:
/usr/local/include/varnish/vrt.h:127: error: redefinition of 'struct strands'
/usr/local/include/varnish/vrt.h:138: error: redefinition of typedef 'VCL_ACL'
/usr/local/include/varnish/vrt.h:138: error: previous declaration of 'VCL_ACL' was here
/usr/local/include/varnish/vrt.h:139: error: redefinition of typedef 'VCL_BACKEND'
/usr/local/include/varnish/vrt.h:139: error: previous declaration of 'VCL_BACKEND' was here
/usr/local/include/varnish/vrt.h:140: error: redefinition of typedef 'VCL_BLOB'
/usr/local/include/varnish/vrt.h:140: error: previous declaration of 'VCL_BLOB' was here
/usr/local/include/varnish/vrt.h:141: error: redefinition of typedef 'VCL_BODY'
/usr/local/include/varnish/vrt.h:141: error: previous declaration of 'VCL_BODY' was here
/usr/local/include/varnish/vrt.h:142: error: redefinition of typedef 'VCL_BOOL'
/usr/local/include/varnish/vrt.h:142: error: previous declaration of 'VCL_BOOL' was here
/usr/local/include/varnish/vrt.h:143: error: redefinition of typedef 'VCL_BYTES'
/usr/local/include/varnish/vrt.h:143: error: previous declaration of 'VCL_BYTES' was here
/usr/local/include/varnish/vrt.h:144: error: redefinition of typedef 'VCL_DURATION'
/usr/local/include/varnish/vrt.h:144: error: previous declaration of 'VCL_DURATION' was here
/usr/local/include/varnish/vrt.h:145: error: redefinition of typedef 'VCL_ENUM'
/usr/local/include/varnish/vrt.h:145: error: previous declaration of 'VCL_ENUM' was here
/usr/local/include/varnish/vrt.h:146: error: redefinition of typedef 'VCL_HEADER'
/usr/local/include/varnish/vrt.h:146: error: previous declaration of 'VCL_HEADER' was here
/usr/local/include/varnish/vrt.h:147: error: redefinition of typedef 'VCL_HTTP'
/usr/local/include/varnish/vrt.h:147: error: previous declaration of 'VCL_HTTP' was here
/usr/local/include/varnish/vrt.h:148: error: redefinition of typedef 'VCL_INSTANCE'
/usr/local/include/varnish/vrt.h:148: error: previous declaration of 'VCL_INSTANCE' was here
/usr/local/include/varnish/vrt.h:149: error: redefinition of typedef 'VCL_INT'
/usr/local/include/varnish/vrt.h:149: error: previous declaration of 'VCL_INT' was here
/usr/local/include/varnish/vrt.h:150: error: redefinition of typedef 'VCL_IP'
/usr/local/include/varnish/vrt.h:150: error: previous declaration of 'VCL_IP' was here
/usr/local/include/varnish/vrt.h:151: error: redefinition of typedef 'VCL_PROBE'
/usr/local/include/varnish/vrt.h:151: error: previous declaration of 'VCL_PROBE' was here
/usr/local/include/varnish/vrt.h:152: error: redefinition of typedef 'VCL_REAL'
/usr/local/include/varnish/vrt.h:152: error: previous declaration of 'VCL_REAL' was here
/usr/local/include/varnish/vrt.h:153: error: redefinition of typedef 'VCL_STEVEDORE'
/usr/local/include/varnish/vrt.h:153: error: previous declaration of 'VCL_STEVEDORE' was here
/usr/local/include/varnish/vrt.h:154: error: redefinition of typedef 'VCL_STRANDS'
/usr/local/include/varnish/vrt.h:154: error: previous declaration of 'VCL_STRANDS' was here
/usr/local/include/varnish/vrt.h:155: error: redefinition of typedef 'VCL_STRING'
/usr/local/include/varnish/vrt.h:155: error: previous declaration of 'VCL_STRING' was here
/usr/local/include/varnish/vrt.h:156: error: redefinition of typedef 'VCL_TIME'
/usr/local/include/varnish/vrt.h:156: error: previous declaration of 'VCL_TIME' was here
/usr/local/include/varnish/vrt.h:157: error: redefinition of typedef 'VCL_VCL'
/usr/local/include/varnish/vrt.h:157: error: previous declaration of 'VCL_VCL' was here
/usr/local/include/varnish/vrt.h:158: error: redefinition of typedef 'VCL_VOID'
/usr/local/include/varnish/vrt.h:158: error: previous declaration of 'VCL_VOID' was here
/usr/local/include/varnish/vrt.h:160: error: redefinition of 'struct vrt_type'
/usr/local/include/varnish/vrt.h:174: error: redefinition of 'struct vrt_ctx'
/usr/local/include/varnish/vrt.h:215: error: redefinition of 'struct vmod_data'
/usr/local/include/varnish/vrt.h:233: error: nested redefinition of 'enum vcl_event_e'
/usr/local/include/varnish/vrt.h:233: error: redeclaration of 'enum vcl_event_e'
/usr/local/include/varnish/vrt.h:234: error: redeclaration of enumerator 'VCL_EVENT_LOAD'
/usr/local/include/varnish/vrt.h:234: error: previous definition of 'VCL_EVENT_LOAD' was here
/usr/local/include/varnish/vrt.h:235: error: redeclaration of enumerator 'VCL_EVENT_WARM'
/usr/local/include/varnish/vrt.h:235: error: previous definition of 'VCL_EVENT_WARM' was here
/usr/local/include/varnish/vrt.h:236: error: redeclaration of enumerator 'VCL_EVENT_COLD'
/usr/local/include/varnish/vrt.h:236: error: previous definition of 'VCL_EVENT_COLD' was here
/usr/local/include/varnish/vrt.h:237: error: redeclaration of enumerator 'VCL_EVENT_DISCARD'
/usr/local/include/varnish/vrt.h:237: error: previous definition of 'VCL_EVENT_DISCARD' was here
/usr/local/include/varnish/vrt.h:283: error: redefinition of 'struct vrt_backend'
/usr/local/include/varnish/vrt.h:310: error: redefinition of 'struct vrt_backend_probe'
/usr/local/include/varnish/vrt.h:322: error: redefinition of 'struct vrt_ref'
/usr/local/include/varnish/vrt.h:336: error: redefinition of typedef 'acl_match_f'
/usr/local/include/varnish/vrt.h:336: error: previous declaration of 'acl_match_f' was here
/usr/local/include/varnish/vrt.h:338: error: redefinition of 'struct vrt_acl'
/usr/local/include/varnish/vrt.h:359: error: nested redefinition of 'enum gethdr_e'
/usr/local/include/varnish/vrt.h:359: error: redeclaration of 'enum gethdr_e'
/usr/local/include/varnish/vrt.h:360: error: redeclaration of enumerator 'HDR_REQ'
/usr/local/include/varnish/vrt.h:360: error: previous definition of 'HDR_REQ' was here
/usr/local/include/varnish/vrt.h:361: error: redeclaration of enumerator 'HDR_REQ_TOP'
/usr/local/include/varnish/vrt.h:361: error: previous definition of 'HDR_REQ_TOP' was here
/usr/local/include/varnish/vrt.h:362: error: redeclaration of enumerator 'HDR_RESP'
/usr/local/include/varnish/vrt.h:362: error: previous definition of 'HDR_RESP' was here
/usr/local/include/varnish/vrt.h:363: error: redeclaration of enumerator 'HDR_OBJ'
/usr/local/include/varnish/vrt.h:363: error: previous definition of 'HDR_OBJ' was here
/usr/local/include/varnish/vrt.h:364: error: redeclaration of enumerator 'HDR_BEREQ'
/usr/local/include/varnish/vrt.h:364: error: previous definition of 'HDR_BEREQ' was here
/usr/local/include/varnish/vrt.h:366: error: redeclaration of enumerator 'HDR_BERESP'
/usr/local/include/varnish/vrt.h:366: error: previous definition of 'HDR_BERESP' was here
/usr/local/include/varnish/vrt.h:368: error: redefinition of 'struct gethdr_s'
/usr/local/include/varnish/vrt.h:434: error: redefinition of typedef 'vmod_event_f'
/usr/local/include/varnish/vrt.h:434: error: previous declaration of 'vmod_event_f' was here
/usr/local/include/varnish/vrt.h:436: error: redefinition of typedef 'vmod_priv_free_f'
/usr/local/include/varnish/vrt.h:436: error: previous declaration of 'vmod_priv_free_f' was here
/usr/local/include/varnish/vrt.h:437: error: redefinition of 'struct vmod_priv'
In file included from vmod_vsf.c:37:
/usr/local/include/varnish/vsa.h:44: error: expected declaration specifiers or '...' before 'socklen_t'
vmod_vsf.c: In function 'vsf_iter_req_body':
vmod_vsf.c:98: warning: implicit declaration of function 'VSB_bcat'
vmod_vsf.c: In function '__match_proto__':
vmod_vsf.c:104: error: expected declaration specifiers before 'vmod_body'
vmod_vsf.c:149: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'vmod_conn_reset'
vmod_vsf.c:168: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'vmod_urldecode'
vmod_vsf.c:192: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'vmod_normalize'
vmod_vsf.c:235: warning: type of 'td_vsf_body' defaults to 'int'
vmod_vsf.c:235: error: expected '{' at end of input
gmake[3]: *** [Makefile:651: libvmod_vsf_la-vmod_vsf.lo] Error 1
gmake[3]: Leaving directory '/root/work/varnish-vmods/VSF/libvmod-vsf/src'
gmake[2]: *** [Makefile:465: all-recursive] Error 1
gmake[2]: Leaving directory '/root/work/varnish-vmods/VSF/libvmod-vsf'
gmake[1]: *** [Makefile:376: all] Error 2
gmake[1]: Leaving directory '/root/work/varnish-vmods/VSF/libvmod-vsf'
gmake: *** [Makefile:12: libvmod-vsf/src/.libs/libvmod-vsf.so] Error 2
Hello,
I would like to ask you if there is away through VSF/throttle or shield limit xmlrpc queries, but not only from one IP but to vhost, for example if there is limit 15 - and these 15 queries are from different IP-s to be blocked. Now they are blocked only if these 15 requests are reached from one IP. This is the current configuration:
f ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("ip:" + client.ip, "10req/s") > 0s) {
error 429 "Calm down";
shield.conn_reset();
}
}
For example, can I use some variable instead of client.ip that points not 15 queries from the source IP, but 15 total requests from any IP to the vhost (without actually to write a different block for every vhost).
Thank you in advamce.
Building for Varnish 4.1 and getting this error with make install
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
make[3]: Leaving directory '/root/VSF/libvmod-vsthrottle/src'
make[2]: Leaving directory '/root/VSF/libvmod-vsthrottle/src'
make[2]: Entering directory '/root/VSF/libvmod-vsthrottle'
make[3]: Entering directory '/root/VSF/libvmod-vsthrottle'
make[3]: Nothing to be done for 'install-exec-am'.
/bin/mkdir -p '/usr/local/share/doc/libvmod-vsthrottle'
/usr/bin/install -c -m 644 README.rst LICENSE '/usr/local/share/doc/libvmod-vsthrottle'
/bin/mkdir -p '/usr/local/share/man/man3'
/usr/bin/install -c -m 644 vmod_vsthrottle.3 '/usr/local/share/man/man3'
make[3]: Leaving directory '/root/VSF/libvmod-vsthrottle'
make[2]: Leaving directory '/root/VSF/libvmod-vsthrottle'
make[1]: Leaving directory '/root/VSF/libvmod-vsthrottle'
install -o root -g root -d /etc/varnish/security
install -o root -g root -D vcl/rules /etc/varnish/security
install: omitting directory ‘vcl/rules’
Makefile:28: recipe for target 'install' failed
make: *** [install] Error 1
I can copy them manually but just thought I'd let you know
cp -r rules /etc/varnish/security/
Maybe.
Is VSF compatible with Varnish 4?
Hi there !
Would you please look at the trace included. I would love to continue using VSF with varnish plus unfortunately varnish plus is going crazy with vsf module.
Last panic at: Mon, 11 Apr 2016 14:42:31 GMT
"Assert error in child_sigsegv_handler(), mgt/mgt_child.c line 282:
Condition(Segmentation fault by instruction at 0x18) not true.
thread = (cache-worker)
version = varnish-plus-4.1.2r1 revision 4d86388
ident = Linux,2.6.32-573.12.1.el6.x86_64,x86_64,-junix,-smse,-smalloc,-hcritbit,epoll
Backtrace:
0x439a53: pan_ic+0x163
0x459afa: varnishd() [0x459afa]
0x3ff5a0f790: libpthread.so.0() [0x3ff5a0f790]
0x431704: http_findhdr+0x14
0x431872: http_GetHdr+0x62
0x7f9d75174b4d: libvmod_vsf.so(vmod_body+0x8d) [0x7f9d75174b4d]
0x7f9d787d2d90: vgc.so(VGC_function_vcl_recv+0x1e0) [0x7f9d787d2d90]
0x446524: vcl_call_method+0x1e4
0x4468ea: VCL_recv_method+0x5a
0x43e2ca: CNT_Request+0x79a
req = 0x7f9ffe9a1020 {
vxid = 32770, step = R_STP_RECV,
req_body = R_BODY_NONE,
restarts = 0, esi_level = 0,
sp = 0x7f9ffd822220 {
fd = 23, vxid = 32769,
client = 10.102.4.5 25687,
step = S_STP_H1PROC,
},
worker = 0x7f9ffddd9b40 {
stack = {0x7f9ffddda000 -> 0x7f9ffddce000},
ws = 0x7f9ffddd9d38 {
id = \"wrk\",
{s,f,r,e} = {0x7f9ffddd92c0,0x7f9ffddd92c0,(nil),+2040},
},
VCL::method = inside RECV,
VCL::return = abandon,
VCL::methods = {RECV},
},
ws = 0x7f9ffe9a1210 {
id = \"req\",
{s,f,r,e} = {0x7f9ffe9a3010,+304,(nil),+57320},
},
http_conn = 0x7f9ffe9a1128 {
pfd = 0x7f9ffd822230(23),
doclose = NULL,
ws = 0x7f9ffe9a1210,
{rxbuf_b, rxbuf_e} = {0x7f9ffe9a3010, 0x7f9ffe9a3050},
{pipeline_b, pipeline_e} = {(nil), (nil)},
content_length = -1,
body_status = none,
first_byte_timeout = 0.000000,
between_bytes_timeout = 0.000000,
},
http[req] = 0x7f9ffe9a12a8 {
ws[req] = 0x7f9ffe9a1210,
hdrs {
\"HEAD\",
\"/is-alive\",
\"HTTP/1.1\",
\"User-agent: LB-Check\",
\"Host: haproxy\",
\"X-Forwarded-For: XX.XX.XX.XX\",
\"X-VSF-Actual-IP: XX.XX.XX.XX\",
\"X-VSF-ClientIP: XX.XX.XX.XX\",
\"X-VSF-Method: HEAD\",
\"X-VSF-Proto: HTTP/1.1\",
\"X-VSF-UA: LB-Check\",
\"X-VSF-URL: /is-alive\",
},
},
vcl = {
temp = warm
srcname = {
\"/etc/varnish/default.vcl\",
\"Builtin\",
\"/etc/varnish/security/vsf.vcl\",
\"/etc/varnish/security/build/variables.vcl\",
\"/etc/varnish/security/local.vcl\",
\"/etc/varnish/security/config.vcl\",
\"/etc/varnish/security/rules/protocol.vcl\",
\"/etc/varnish/security/rules/paths.vcl\",
\"/etc/varnish/security/rules/generic.vcl\",
\"/etc/varnish/security/rules/sql.vcl\",
\"/etc/varnish/security/rules/sql.encoded.vcl\",
\"/etc/varnish/security/rules/xss.vcl\",
\"/etc/varnish/security/rules/xss.encoded.vcl\",
\"/etc/varnish/security/rules/demo.vcl\",
\"/etc/varnish/security/rules/php.vcl\",
\"/etc/varnish/security/rules/cmd.vcl\",
\"/etc/varnish/security/rules/restricted-file-extensions.vcl\",
\"/etc/varnish/security/rules/content-encoding.vcl\",
\"/etc/varnish/security/rules/content-type.vcl\",
\"/etc/varnish/security/rules/localfiles.vcl\",
\"/etc/varnish/security/build/variables.vcl\",
\"/etc/varnish/security/handlers.vcl\",
\"/etc/varnish/rsr.vcl\",
\"/etc/varnish/tsr.vcl\",
\"/etc/varnish/marts.vcl\",
\"/etc/varnish/vcs_deliver.vcl\",
\"/etc/varnish/error_page.vcl\",
\"/etc/varnish/403_page.vcl\",
},
},
flags = {
},
},
Many thanks in advance for your support !
Jef
I have been doing pentesting today with command lines and can confirm you need a whitespace or %20. I would recommend adding an rm check too. Here is my attempt at a pull request for 3.0 and 4.0
distribution specific packages for
The current varnish 4.1 repo is not working for me so I had to build from source so I could use VSF
Following my regular guide I usually do but I get this error
Message from VCC-compiler:
Cannot read file 'security/config.vcl' (No such file or directory)
('/etc/varnish/security/vsf.vcl' Line 56 Pos 9)
include "security/config.vcl";
--------#####################-
I can see that it is there
find / -iname variables.vcl
/etc/varnish/security/build/variables.vcl
SSIA
Hello, I want to block xmlrpc and wp-login requests only for IP that floods and exceed the requests in secon, but when other people from other IPs opens the wp-login.php to be not affected as it's not. This is my configuration as it should be only per IP, but the limits actually are for all IPs that opens wp-login:
if(throttle.is_allowed("ip:" +req.http.X-Actual-IP, "45req/s") > 0s && (req.url ~ "xmlrpc.php|wp-login.php")) {
error 429 "Calm down";
shield.conn_reset();
}
My question is why and how can I change it so the blocked IP to be only the ip that exceeds the requests, not all IP that opens wp-login.php. Thank you in advance.
$> ./autogen.sh
.'. libtoolize: copying file
./ltmain.sh'm4'. libtoolize: copying file
m4/libtool.m4'm4/ltoptions.m4' libtoolize: copying file
m4/ltsugar.m4'm4/ltversion.m4' libtoolize: copying file
m4/lt~obsolete.m4'$> ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for gcc option to accept ISO C99... -std=gnu99
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc -std=gnu99... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc -std=gnu99 object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -std=gnu99 -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc -std=gnu99 supports -fno-rtti -fno-exceptions... no
checking for gcc -std=gnu99 option to produce PIC... -fPIC -DPIC
checking if gcc -std=gnu99 PIC flag -fPIC -DPIC works... yes
checking if gcc -std=gnu99 static flag -static works... yes
checking if gcc -std=gnu99 supports -c -o file.o... yes
checking if gcc -std=gnu99 supports -c -o file.o... (cached) yes
checking whether the gcc -std=gnu99 linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for python3... /usr/bin/python3
checking for rst2man... /usr/bin/rst2man
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking vsha256.h usability... yes
checking vsha256.h presence... yes
checking for vsha256.h... yes
checking cache/cache.h usability... yes
checking cache/cache.h presence... yes
checking for cache/cache.h... yes
checking for varnishtest... /usr/bin/varnishtest
checking for varnishd... /usr/sbin/varnishd
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
$> make
make all-recursive
make[1]: Entering directory /opt/VSF/libvmod-vsf' Making all in src make[2]: Entering directory
/opt/VSF/libvmod-vsf/src'
/usr/bin/python3 /usr/share/varnish/vmodtool.py ../src/vmod.vcc
Traceback (most recent call last):
File "/usr/share/varnish/vmodtool.py", line 924, in
runmain(i_vcc)
File "/usr/share/varnish/vmodtool.py", line 840, in runmain
i.parse(vx)
File "/usr/share/varnish/vmodtool.py", line 721, in parse
o = parse_func(self)
File "/usr/share/varnish/vmodtool.py", line 644, in parse_func
raise Exception("ARG? %s", t.str)
Exception: ('ARG? %s', 'PRIV_TASK')
make[2]: *** [vcc_if.h] Error 1
make[2]: Leaving directory /opt/VSF/libvmod-vsf/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory
/opt/VSF/libvmod-vsf'
make: *** [all] Error 2
$> autoconf -V
autoconf (GNU Autoconf) 2.69
Hi guys,
any hint on how can I past this error?
bin/sh ../libtool --tag=CC --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../../utf8proc -std=c99 -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo test -f 'vmod_vsf.c' || echo './'
vmod_vsf.c
libtool: compile: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../../utf8proc -std=c99 -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
vmod_vsf.c: In function ‘vmod_body’:
vmod_vsf.c:134: warning: implicit declaration of function ‘strncasecmp’
vmod_vsf.c: In function ‘vmod_normalize’:
vmod_vsf.c:206: error: ‘utf8proc_ssize_t’ undeclared (first use in this function)
vmod_vsf.c:206: error: (Each undeclared identifier is reported only once
vmod_vsf.c:206: error: for each function it appears in.)
vmod_vsf.c:206: error: expected ‘;’ before ‘len’
vmod_vsf.c:224: error: ‘len’ undeclared (first use in this function)
vmod_vsf.c:224: error: ‘utf8proc_uint8_t’ undeclared (first use in this function)
vmod_vsf.c:224: error: expected expression before ‘)’ token
vmod_vsf.c:225: error: too few arguments to function ‘utf8proc_decompose’
vmod_vsf.c:234: error: ‘utf8proc_int32_t’ undeclared (first use in this function)
vmod_vsf.c:234: error: expected expression before ‘)’ token
vmod_vsf.c:234: error: too few arguments to function ‘utf8proc_reencode’
make[2]: *** [libvmod_vsf_la-vmod_vsf.lo] Error 1
make[2]: Leaving directory /root/vmod/VSF/libvmod-vsf/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory
/root/vmod/VSF/libvmod-vsf'
make: *** [all] Error 2
Hi,
I think adding whitelisted ip address is good for VSF, especially for front-backend setup and dos.vcl.
Please also check:
https://puszcza.gnu.org.ua/software/vmod-remoteip/
Hi,
First of all, I would like to thank you for the great work. Your VSF module has become an indispensable tool on our web platforms.
However, we are currently reinstalling all our Redhat based servers with Ubuntu.
But unfortunately, we are not able to compile the module anymore. The make command ends up with the following error:
make[3]: Entering directory '/root/install/VSF/libvmod-vsf/src'
/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c -o libvmod_vsf_la-vmod_vsf.lo `test -f 'vmod_vsf.c' || echo './'`vmod_vsf.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I/usr/include/varnish -I../utf8proc -g -O2 -MT libvmod_vsf_la-vmod_vsf.lo -MD -MP -MF .deps/libvmod_vsf_la-vmod_vsf.Tpo -c vmod_vsf.c -fPIC -DPIC -o .libs/libvmod_vsf_la-vmod_vsf.o
In file included from /usr/include/varnish/cache/cache_varnishd.h:32,
from vmod_vsf.c:34:
/usr/include/varnish/cache/cache.h:202:1: warning: data definition has no type or storage class
202 | VRBT_HEAD(vrt_priv_tree,vrt_priv);
| ^~~~~~~~~
/usr/include/varnish/cache/cache.h:202:1: warning: type defaults to ‘int’ in declaration of ‘VRBT_HEAD’ [-Wimplicit-int]
/usr/include/varnish/cache/cache.h:202:1: warning: parameter names (without types) in function declaration
/usr/include/varnish/cache/cache.h:207:23: error: field ‘privs’ has incomplete type
207 | struct vrt_priv_tree privs;
| ^~~~~
vmod_vsf.c: In function ‘vmod_body’:
vmod_vsf.c:117:28: warning: passing argument 2 of ‘VRB_Iterate’ from incompatible pointer type [-Wincompatible-pointer-types]
117 | if (VRB_Iterate(ctx->req, vsf_iter_req_body, vsb) == -1) {
| ^~~~~~~~~~~~~~~~~
| |
| int (*)(void *, int, const void *, ssize_t) {aka int (*)(void *, int, const void *, long int)}
In file included from vmod_vsf.c:34:
/usr/include/varnish/cache/cache_varnishd.h:351:49: note: expected ‘int (*)(void *, unsigned int, const void *, ssize_t)’ {aka ‘int (*)(void *, unsigned int, const void *, long int)’} but argument is of type ‘int (*)(void *, int, const void *, ssize_t)’ {aka ‘int (*)(void *, int, const void *, long int)’}
351 | ssize_t VRB_Iterate(struct req *, objiterate_f *func, void *priv);
| ~~~~~~~~~~~~~~^~~~
make[3]: *** [Makefile:670: libvmod_vsf_la-vmod_vsf.lo] Error 1
make[3]: Leaving directory '/root/install/VSF/libvmod-vsf/src'
make[2]: *** [Makefile:474: all-recursive] Error 1
make[2]: Leaving directory '/root/install/VSF/libvmod-vsf'
make[1]: *** [Makefile:385: all] Error 2
make[1]: Leaving directory '/root/install/VSF/libvmod-vsf'
make: *** [Makefile:12: libvmod-vsf/src/.libs/libvmod-vsf.so] Error 2
Do you have an idea how we can solve this issue?
Very many thanks in advance,
Best regards.
Patrick
The included ref of submodule libvmod-parsereq segfaults with varnish 3.0.4, this is fixed when including from the current master branch.
libvmod-unicode has fixed a segfault issue as well.
Where to find log file of VSF?
I may need fail2ban to scan it. :)
Thank you!
Should probably create an empty local.vcl
Cannot read file '/etc/varnish/security/local.vcl': No such file or directory
('/etc/varnish/security/vsf.vcl' Line 13 Pos 9)
include "/etc/varnish/security/local.vcl";
--------#################################-
Forgot to uncomment this line
Message from VCC-compiler:
Syntax error at
('/etc/varnish/security/rules/protocol.vcl' Line 33 Pos 5)
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
----#-------------------------------------------------------
Not sure how to fix this besides just commenting it out
Error:
Message from VCC-compiler:
Function sec_throttle redefined
('/etc/varnish/security/vsf.vcl' Line 156 Pos 5)
sub sec_throttle {
----############--
cd opt/
git clone https://github.com/comotion/VSF.git
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
cd VSF/
make
...
/configure: line 11523: VARNISH_VMOD_INCLUDES: command not found
./configure: line 11524: VARNISH_VMOD_DIR: command not found
./configure: line 11525: VARNISH_VMODTOOL: command not found
checking for varnishtest... /usr/local/bin/varnishtest
checking for varnishd... /usr/local/sbin/varnishd
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
make[1]: Entering directory /opt/VSF/libvmod-vsf' make all-recursive make[2]: Entering directory
/opt/VSF/libvmod-vsf'
Making all in src
make[3]: Entering directory `/opt/VSF/libvmod-vsf/src'
/usr/bin/python2.7 ../src/vmod.vcc
File "../src/vmod.vcc", line 27
$Module vsf 3 Varnish Security Firewall
...
First of all thanks for such nice work and keep it updated.
I am on Ubuntu 20.04 + varnish 6.6.1.
There is a problem:
Nov 17 15:45:42 ovh varnishreload[4085150]: Message from VCC-compiler:
Nov 17 15:45:42 ovh varnishreload[4085150]: Unused sub sec_robot, defined:
Nov 17 15:45:42 ovh varnishreload[4085150]: ('/etc/varnish/security/rules/robots.vcl' Line 15 Pos 5)
Nov 17 15:45:42 ovh varnishreload[4085150]: sub sec_robot {
Nov 17 15:45:42 ovh varnishreload[4085150]: ----#########--
Nov 17 15:45:42 ovh varnishreload[4085150]: Running VCC-compiler failed, exited with 2
Nov 17 15:45:42 ovh varnishreload[4085150]: VCL compilation failed
Nov 17 15:45:42 ovh varnishreload[4085150]: Command failed with error code 106
Can you check it?
Thank you.
Hi There,
I am currently experimenting with VSF on a development server and am finding that it only catches malicious content if it was put in the first field of a form.
Something like this for example:
<script>alert(1);</script>
Causes a 403 to be returned if put in the very first element of any form that I have tested. If I put that in any other field, VSF ignores it.
Is anyone else seeing similar behaviour or have I just set something up wrong? Currently I have a completely out-of-the-box config and just followed the install instructions from here. No other changes have been made.
Any help of advice would be greatly appreciated! Thanks!
Hi,
Can you update your instructions with Step by Step for noobs like me.
I found this installation tutorial for CentOS 6.
http://www.screwloose.com.au/install-varnish-3-0-with-vsf-varnish-security-firewall-on-centos-6
But I am not sure if the steps are complete since some of the VMods have their own "Make" file. Please advice.
Setup:
Recent changes to the VSF VCL files appear to have introduced relative VCL path includes.
I have a basic fresh install of Varnish and the VSF mod, having only added the VSF include at the top of /etc/varnish/default.vcl per the installation instructions.
vcl 4.0;
include "/etc/varnish/security/vsf.vcl";
...
When running Varnish I receive a VCL compilation error:
$ sudo varnishd -f /etc/varnish/default.vcl
Error:
Message from VCC-compiler:
Cannot read file 'build/variables.vcl': No such file or directory
('/etc/varnish/security/vsf.vcl' Line 10 Pos 9)
include "build/variables.vcl";
--------#####################-
Running VCC-compiler failed, exited with 2
VCL compilation failed
To fix I have prefixed each include path in vsf.vcl and config.vcl with the "security" symlink.
EG:
include "security/build/variables.vcl";
include "security/local.vcl";
Is there another way to approach this which does not involve altering the include paths, or is this an actual issue?
Thanks
Hi,
Is this project alive?!
I'm interesting in it.
Thanks in advance for the answer.
Please put back 6.6 branch.
Ubuntu 22.04 comes with varnish 6.6 by default.
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.