April 10, 2018
4 min read time

Varnish and security


The correlation between cloud/edge computing and security is growing stronger every day, and any caching/CDN solution loses value if it doesn’t deliver a set of features that can address this correlation by securing data and connections.

With the upcoming GDPR (Global Data Protection Regulation), which will come into force on May the 25th and will affect any business with at least a single European user, the demand for security is accelerating. End users and customers also require that their data be protected and that their connections be safe, which recent revelations (and scandals) revolving around Facebook have proven - and proven the importance of.

Varnish, as reverse proxy and CDN software, usually sits in a very strategic layer of your architecture with Varnish itself as the very first HTTP gate a user request has to go through to see his/her request fulfilled (in most cases). Therefore, each Varnish solution comes with a complete set of features that can help to secure your architecture.


HTTPS support

Varnish provides secure connections for both the client and the backend side. It means that the data shuffled between your Varnish server and the final user and the bytes between the origin server and Varnish are always encrypted, protecting privacy and avoiding data leaks.

Hitch is an SSL/TLS client terminator and secures client-side connections; it’s an open source project and fully supported by Varnish Software.

Backend-side HTTPS is a Varnish Software feature. Securing a backend is as easy as setting a flag (on/off) in your Varnish configuration.

Varnish Total Encryption

Encrypting data in cache is as important as having secure connections, as everyone wants to avoid disasters like Cloudbleed. Encrypted cached content will be useless in the event of a data breach, ensuring that your customers’ private information is protected.

Varnish Total Encryption is a Varnish module (VMOD) that is fully tweakable via VCL. Every object in cache will have its own unique AES256 encryption key. This unique key, based on the request fingerprint, is assigned to each request, making it impossible for a request to return anything but its intended cache object.

Encrypting your whole caching layer, from end to end, including cached content, makes your whole infrastructure more secure and resilient and helps your business be completely GDPR compliant.


Request body access

Vmod-bodyaccess exposes the request body in VCL proving functions, among others, to:

  • Log the request body to VSL (Varnish Shared Log) making it available for inspection and for use by other components. The request body can be split in multiple lines to make it more readable.
  • Find strings in a request body. Using regular expressions, you can detect if malicious patterns are present within suspicious request and run a check on those.
  • Evaluate the request body length.

Combining regular expressions check and the length of a request body we can mark a request as potentially dangerous. If we have many requests marked as critical, this could be a DDoS attack.


Vmod-vsthrottle provides an API, accessible via VCL, to slow down the pace of incoming requests if anything suspicious is detected, i.e if the same IP address makes numerous requests within a short amount of time (usually seconds). Requests are paced based on a key that could be any VCL string, i.e. IP address, a header, a token, etc.

Optionally specific requests can be blocked for a period of time if the rate limit threshold is reached, which helps by throttling down specific traffic patterns.

Even if Varnish can handle more than 20k req/s, detecting dubious requests and throttling them down is vital to providing good service and avoiding wasted resources


Varnish Web Application Firewall allows you to set your own security rules in ModSecurity style. It is implemented as VMOD making it configurable via VCL.

The Varnish WAF can help you by preventing code injections, malicious clients and by protecting your origin servers. It can be considered security perimeter defense. It is currently under development and will be available starting in Q3 2018.


Using VCL, Varnish can run authentication and authorization logic. Authentication means we can identify each user based on a cookie header or any other VCL token. Once the authentication has been successful, always via VCL, we can decide which piece of content each user is allowed to access.

Combining those two steps a Varnish paywall can be implemented; the solution is fully implemented in VCL using, among others, vmod-http and vmod-kvstore.

Security is taken seriously by the Varnish Software team and our Varnish solutions have extremely flexible security options in place, letting you choose what to secure and how secure you need it to be - as everything can be tweaked via VCL, ultimately helping you secure your caching infrastructure without affecting web performance.

Ready to implement the steps you need to secure yourself and be ready for GDPR? Take a look at our on-demand webinar, "How to make your cache infrastructure GDPR compliant".