Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
01908a71
Unverified
Commit
01908a71
authored
Oct 13, 2023
by
Nils Goroll
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Polish "Security first" rst
parent
051aa94f
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
63 additions
and
60 deletions
+63
-60
run_security.rst
doc/sphinx/users-guide/run_security.rst
+63
-60
No files found.
doc/sphinx/users-guide/run_security.rst
View file @
01908a71
...
@@ -52,52 +52,52 @@ CLI interface access
...
@@ -52,52 +52,52 @@ CLI interface access
The command line interface can be accessed in three ways.
The command line interface can be accessed in three ways.
`varnishd` can be told to listen and offer CLI connections
:ref:`varnishd(1)` can be told to listen and offer CLI connections on
on a TCP socket. You can bind the socket to pretty
a TCP socket. You can bind the socket to pretty much anything the
much anything the
kernel will accept::
kernel will accept::
-T 127.0.0.1:631
-T 127.0.0.1:631
-T localhost:9999
-T localhost:9999
-T 192.168.1.1:34
-T 192.168.1.1:34
-T '[fe80::1]:8082'
-T '[fe80::1]:8082'
The default is ``-T localhost:0`` which will pick a random
The default is ``-T localhost:0`` which will pick a random port
port number, which `varnishadm(8)` can learn from the shared
number, which :ref:`varnishadm(1)` can learn from the shared memory.
memory.
By using a
"localhost" address, you restrict CLI access
By using a
``localhost`` address, you restrict CLI access to the local
to the local
machine.
machine.
You can also bind the CLI port to an IP address reachable across
You can also bind the CLI port to an IP address reachable across
the net, and let other machines connect directly.
the net, and let other machines connect directly.
This gives you no secrecy, i.e. the CLI commands will
This gives you no secrecy, i.e. the CLI commands will
go across the
go across the network as ASCII text with no encryption, but
network as ASCII text with no encryption, but the ``-S`` / pre shared
the -S/PSK authentication requires the remote end to know
key (`PSK`_) authentication requires the remote end to know the shared
the shared
secret.
secret.
Alternatively you can bind the CLI port to a
'localhost'
address,
Alternatively you can bind the CLI port to a
``localhost``
address,
and give remote users access via a secure connection to the local
and give remote users access via a secure connection to the local
machine, using ssh/VPN or similar.
machine, using ssh/VPN or similar.
If you use `ssh
` you can restrict which commands each user can execute
If you use `ssh
(1)` you can restrict which commands each user can
to just `varnishadm`, or even use a wrapper scripts around `varnishadm`
execute to just :ref:`varnishadm(1)`, or even use a wrapper scripts
to allow specific CLI commands.
around :ref:`varnishadm(1)`
to allow specific CLI commands.
It is also possible to configure
`varnishd` for "reverse mode", using
It is also possible to configure
:ref:`varnishd(1)` for "reverse
the '-M' argument. In that case `varnishd` will attempt to open a
mode", using the ``-M`` argument. In that case :ref:`varnishd(1)`
TCP connection to the specified address, and initiate a CLI connection
will attempt to open a TCP connection to the specified address, and
to your central Varnish management facility.
initiate a CLI connection
to your central Varnish management facility.
.. XXX:Maybe a sample command here with a brief explanation? benc
.. XXX:Maybe a sample command here with a brief explanation? benc
The connection in this case is also without encryption, but
The connection in this case is also without encryption, but
the remote end must still authenticate using
-S/PSK
.
the remote end must still authenticate using
``-S``\ /`PSK`_
.
Finally, if you run varnishd with the
'-d'
option, you get a CLI
Finally, if you run varnishd with the
``-d``
option, you get a CLI
command on stdin/stdout, but since you started the process, it
command on stdin/stdout, but since you started the process, it
would
would
be hard to prevent you getting CLI access, wouldn't it ?
be hard to prevent you getting CLI access, wouldn't it ?
.. _PSK:
CLI interface authentication
CLI interface authentication
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
@@ -106,37 +106,38 @@ By default the CLI interface is protected with a simple, yet powerful
...
@@ -106,37 +106,38 @@ By default the CLI interface is protected with a simple, yet powerful
"Pre Shared Key" authentication method, which do not provide secrecy
"Pre Shared Key" authentication method, which do not provide secrecy
(ie: The CLI commands and responses are not encrypted).
(ie: The CLI commands and responses are not encrypted).
The way
-S/PSK works is really simple:
During startup a file is
The way
``-S``\ /PSK works is really simple:
During startup a file is
created with a random content and the file is only accessible to
created with a random content and the file is only accessible to
the
the user who started `varnishd
` (or the superuser).
user who started :ref:`varnishd(1)
` (or the superuser).
To authenticate and use a CLI connection, you need to know the
To authenticate and use a CLI connection, you need to know the
contents of that file, in order to answer the cryptographic
contents of that file, in order to answer the cryptographic
challenge
challenge `varnishd
` issues, see :ref:`ref_psk_auth`.
:ref:`varnishd(1)
` issues, see :ref:`ref_psk_auth`.
`varnishadm` uses all of this to restrict access, it will only function,
:ref:`varnishadm(1)` uses all of this to restrict access, it will only
provided it can read the secret file.
function,
provided it can read the secret file.
If you want to allow other users, local or remote, to be able to
access
If you want to allow other users, local or remote, to be able to
CLI connections, you must create your own secret file and make it possibl
e
access CLI connections, you must create your own secret file and mak
e
for (only!) these users to read it.
it possible
for (only!) these users to read it.
A good way to create the secret file is::
A good way to create the secret file is::
dd if=/dev/random of=/etc/varnish_secret count=1
dd if=/dev/random of=/etc/varnish_secret count=1
When you start
`varnishd`, you specify the filename with '-S', and
When you start
:ref:`varnishd(1)`, you specify the filename with '-S',
it goes without saying that the `varnishd` master process need
s
and it goes without saying that the :ref:`varnishd(1)` master proces
s
to be able to read the file too.
needs
to be able to read the file too.
You can change the contents of the secret file while `varnishd`
You can change the contents of the secret file while
runs, it is read every time a CLI connection is authenticated.
:ref:`varnishd(1)` runs, it is read every time a CLI connection is
authenticated.
On the local system,
`varnishadm` can retrieve the filename from
On the local system,
:ref:`varnishadm(1)` can retrieve the filename
shared memory, but on remote systems, you need to give `varnishadm`
from shared memory, but on remote systems, you need to give
a copy of the secret file, with the -S argument.
:ref:`varnishadm(1)`
a copy of the secret file, with the -S argument.
If you want to disable
-S
/PSK authentication, use an ``-S none``
If you want to disable
``-S``\
/PSK authentication, use an ``-S none``
argument to varnishd::
argument to varnishd::
varnishd [...] -S none [...]
varnishd [...] -S none [...]
...
@@ -155,7 +156,8 @@ HTTP service, but a few can do more damage than others:
...
@@ -155,7 +156,8 @@ HTTP service, but a few can do more damage than others:
Execute arbitrary programs
Execute arbitrary programs
:ref:`ref_param_vcc_allow_inline_c`
:ref:`ref_param_vcc_allow_inline_c`
Allow inline C in VCL, which would allow any C code from VCL to be executed by Varnish.
Allow inline C in VCL, which would allow any C code from VCL
to be executed by Varnish.
Furthermore you may want to look at and lock down:
Furthermore you may want to look at and lock down:
...
@@ -163,7 +165,8 @@ Furthermore you may want to look at and lock down:
...
@@ -163,7 +165,8 @@ Furthermore you may want to look at and lock down:
Log all CLI commands to `syslog(8)`, so you know what goes on.
Log all CLI commands to `syslog(8)`, so you know what goes on.
:ref:`ref_param_vcc_unsafe_path`
:ref:`ref_param_vcc_unsafe_path`
Restrict VCL/VMODs to :ref:`ref_param_vcl_path` and :ref:`ref_param_vmod_path`
Restrict VCL/VMODs to :ref:`ref_param_vcl_path` and
:ref:`ref_param_vmod_path`
:ref:`ref_param_vmod_path`
:ref:`ref_param_vmod_path`
The directory (or colon separated list of directories) where
The directory (or colon separated list of directories) where
...
@@ -181,12 +184,11 @@ As described above, some of the damage can be limited by restricting
...
@@ -181,12 +184,11 @@ As described above, some of the damage can be limited by restricting
certain parameters, but that will only protect the local filesystem,
certain parameters, but that will only protect the local filesystem,
and operating system, it will not protect your HTTP service.
and operating system, it will not protect your HTTP service.
We do not currently have a way to restrict specific CLI commands
We do not currently have a way to restrict specific CLI commands to
to specific CLI connections. One way to get such an effect is to
specific CLI connections. One way to get such an effect is to "wrap"
"wrap" all CLI access in pre-approved scripts which use `varnishadm(1)`
all CLI access in pre-approved scripts which use :ref:`varnishadm(1)`
to submit the sanitized CLI commands, and restrict a remote user to
to submit the sanitized CLI commands, and restrict a remote user
only those scripts, for instance using sshd(8)'s configuration.
to only those scripts, for instance using sshd(8)'s configuration.
VCL programs
VCL programs
------------
------------
...
@@ -198,11 +200,13 @@ Both of these mechanisms allow execution of arbitrary code and will
...
@@ -198,11 +200,13 @@ Both of these mechanisms allow execution of arbitrary code and will
thus allow a person to get access to the machine, with the
thus allow a person to get access to the machine, with the
privileges of the child process.
privileges of the child process.
If `varnishd` is started as root/superuser, we sandbox the child
If :ref:`varnishd(1)` is started as root/superuser, we sandbox the
process, using whatever facilities are available on the operating
child process, using whatever facilities are available on the
system, but if `varnishd` is not started as root/superuser, this is
operating system, but if :ref:`varnishd(1)` is not started as
not possible. No, don't ask me why you have to be superuser to
root/superuser, this is not possible. No, don't ask me why you have to
lower the privilege of a child process...
be superuser to lower the privilege of a child process...
.. XXX the above is not correct for the solaris jail
Inline-C is disabled by default since Varnish version 4, so unless
Inline-C is disabled by default since Varnish version 4, so unless
you enable it, you don't have to worry about it.
you enable it, you don't have to worry about it.
...
@@ -229,4 +233,3 @@ to various kinds of attacks and subversive activities.
...
@@ -229,4 +233,3 @@ to various kinds of attacks and subversive activities.
If you have "administrative" HTTP requests, for instance PURGE
If you have "administrative" HTTP requests, for instance PURGE
requests, we strongly recommend that you restrict them to trusted
requests, we strongly recommend that you restrict them to trusted
IP numbers/nets using VCL's :ref:`vcl_syntax_acl`.
IP numbers/nets using VCL's :ref:`vcl_syntax_acl`.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment