คิดว่าคงพอช่วยเพิ่ม security ได้ไม่มาก็น้อย
เครดิท vlc security https://github.com/comotion/security.vcl
ถ้ามีคำแนะนำหรือเพิ่มเติมยินดีครับ
# varnish 2.1.x
acl google {
# googlebot ip range
"66.249.65.0"/24;
"66.249.66.0"/24;
"66.249.67.0"/24;
"66.249.68.0"/24;
"66.249.69.0"/24;
"66.249.70.0"/24;
"66.249.71.0"/24;
"66.249.72.0"/24;
"66.249.73.0"/24;
"66.249.74.0"/24;
"66.249.75.0"/24;
"66.249.76.0"/24;
"66.249.77.0"/24;
"66.249.78.0"/24;
"66.249.79.0"/24;
"66.249.80.0"/24;
"66.249.81.0"/24;
"66.249.82.0"/24;
"66.249.83.0"/24;
"66.249.84.0"/24;
"66.249.85.0"/24;
"66.249.86.0"/24;
"66.249.87.0"/24;
"66.249.88.0"/24;
"66.249.89.0"/24;
"66.249.90.0"/24;
"66.249.91.0"/24;
"66.249.92.0"/24;
"66.249.93.0"/24;
"66.249.94.0"/24;
"66.249.95.0"/24;
}
sub vcl_recv {
# real request's ip
remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;
# allowed local, server's ip, google
if ( client.ip != "127.0.0.1" && client.ip != "MYSERVER'S IP" && !client.ip ~ google) {
# request to blocked
if (req.url ~ "/etc/(passwd(\-)?|(g)?shadow(\-)?|motd|group(\-)?)") { error 403 "Access Denied."; }
if (req.url ~ "\.(\.)?/\.(\.)?/\.(\.)?") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&|%7C%7C)wget.+") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&|%7C%7C)curl.+") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&|%7C%7C)echo.+") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&|%7C%7C)cat.+") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&|%7C%7C)cmd.exe.+") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&)nc(.exe)?.+(\-(l|p)?)?") { error 403 "Access Denied."; }
if (req.url ~ "(=|;|&&)(whoami|who|uptime|last|df).*") { error 403 "Access Denied."; }
if (req.url ~ "(>|%3E|-o)+" && req.url ~ "/dev/null") { error 403 "Access Denied."; }
if (req.url ~ "(<|\%3C)?(java|vb)?script(>|\%3E).*(<|\%3C).*\/script(>|\%3E)?") { error 403 "Access Denied."; }
if (req.url ~ "(java|vb)?script:") { error 403 "Access Denied."; }
if (req.url ~ "\(.*javascript.*\)") { error 403 "Access Denied."; }
if (req.url ~ "\(.*vbscript.*\)") { error 403 "Access Denied."; }
if (req.url ~ ":?.*url\(") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+SELECT.+FROM") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+UNION\s+SELECT") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+UPDATE.+SET") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+INSERT.+INTO") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+DELETE.+FROM") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+ASCII\(.+SELECT") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+DROP.+TABLE") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+DROP.+DATABASE") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+SELECT.+VERSION") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+BULK.+INSERT") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+INSERT.+VALUES") { error 403 "Access Denied."; }
if (req.url ~ "(?i).+\%2F\%2A.+\%2A\%2F") { error 403 "Access Denied."; }
if (req.url ~ "GLOBALS\[") { error 403 "Access Denied."; }
if (req.url ~ "_SERVER\[") { error 403 "Access Denied."; }
if (req.url ~ "_GET\[") { error 403 "Access Denied."; }
if (req.url ~ "_POST\[") { error 403 "Access Denied."; }
if (req.url ~ "_FILES\[") { error 403 "Access Denied."; }
if (req.url ~ "_REQUEST\[") { error 403 "Access Denied."; }
if (req.url ~ "_SESSION\[") { error 403 "Access Denied."; }
if (req.url ~ "_ENV\[") { error 403 "Access Denied."; }
if (req.url ~ "_COOKIE\[") { error 403 "Access Denied."; }
if (req.url ~ "_REQUEST\[") { error 403 "Access Denied."; }
if (req.url ~ "_PHPLIB\[") { error 403 "Access Denied."; }
if (req.url ~ "system\(") { error 403 "Access Denied."; }
if (req.url ~ "passthru\(") { error 403 "Access Denied."; }
if (req.url ~ "eval\(") { error 403 "Access Denied."; }
if (req.url ~ "(<|\%3C)?\?(php)?.*(php)?\?(>|\%3E)?") { error 403 "Access Denied."; }
if (req.url ~ "=?(https?|ftps?|php)://") { error 403 "Access Denied."; }
# bad bot & useragent blocked
if (
req.http.user-agent ~ "^-"
|| req.http.user-agent ~ "^$"
|| req.http.user-agent ~ "^(j|J)(a|A)(v|V)(a|A)"
|| req.http.user-agent ~ "^(h|H)(t|T)(p|P)(p|P)"
|| req.http.user-agent ~ "^(u|U)(r|R)(i|I)"
|| req.http.user-agent ~ "^(l|L)(w|W)(p|P)"
|| req.http.user-agent ~ "^(p|P)(e|E)(c|C)(l|L)"
|| req.http.user-agent ~ "^(p|P)(h|H)(p|P)"
|| req.http.user-agent ~ "^(c|C)(u|U)(r|R)(l|L)"
|| req.http.user-agent ~ "^(l|L)(i|I)(b|B)"
|| req.http.user-agent ~ "^(w|W)(g|G)(e|E)(t|T)"
) {
error 403 "Access Denied.";
}
}
# blocked hotlink
if ( req.url ~ "IMGDIR/.*" || req.url ~ "IMGDIR/.*/images" || req.url ~ "IMGDIR/.*" ) {
if ( req.http.referer ~ "^http?://" ) {
if ( !(req.http.referer ~ "^http?://([a-z-]+\.)?(MYWEBSITE)\.com") && !(req.http.referer ~ "^http(s)?://(.*\.)?google\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?yahoo\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?bing\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?msn\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?gmail\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?facebook\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?live\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?twitter\..*") && !(req.http.referer ~ "^http(s)?://(.*\.)?w3\..*") ) {
error 403 "Access Denied.";
}
}
}
}