In message <[email protected]>, Mike
Franon writes:
>HI,
>
>I was curious does anyone know of any serious security exploits that
>can use varnish as an open proxy?
Only if they can reload the Varnish VCL somehow. Varnish has the
backends hardcoded in VCL.
>The reason why I am thinking that some sort of exploit might be going
>on is, looking at the varnish logs I was seeing some url's for domains
>we do not even own.
And what does the log says happen to them ?
You can probably do something like:
if (req.http.host !~ "<regexp matching your domains") {
error(755); /* No need to be civilized here */
}
To prevent them from reaching your backend.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
[email protected] | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
varnish-misc mailing list
[email protected]
http://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
