search

comotion / security.vcl

protect your websites with varnish rules
GNU General Public License v2.0
192 stars 39 forks source link

VCC-compiler: Syntax error for breach #9

Open DaiYamatta opened 12 years ago

DaiYamatta commented 12 years ago

enable include "/etc/varnish/security/breach.vcl";

this code is syntax error.

varnishd -d -f default.vcl Message from VCC-compiler: Syntax error at ('/etc/varnish/security/breach/40_generic_attacks.vcl' Line 5 Pos 78) if(req.http.Cookie ~ "(?:(?:[\;|]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"|\;-\s]|$))"){ -----------------------------------------------------------------------------#-----------------

Running VCC-compiler failed, exit 1

VCL compilation failed

varnishd -d -f /etc/varnish/default.vcl Message from VCC-compiler: Expected ')' got 'validateUtf8Encoding' (program line 73), at ('/etc/varnish/security/breach/20_protocol_violations.vcl' Line 256 Pos 15) if(req.url validateUtf8Encoding ""){ --------------####################-----

Running VCC-compiler failed, exit 1

VCL compilation failed

varnishd -d -f /etc/varnish/default.vcl Message from VCC-compiler: Unknown token '%' when looking for BOOL

('/etc/varnish/security/breach/30_http_policy.vcl' Line 5 Pos 8) if((%{tx.allowed_methods}) ~ "req.request"){ -------#---------------------------------------

Running VCC-compiler failed, exit 1

VCL compilation failed

as is code comment out is running !!

comotion commented 12 years ago

Hey Dai, thanks for the notice yeah the breach module is not precisely tip top since the port to V3.0 and the introduction of some new mod_security features. I will hack on it some when I get a chance, til then I recommend you use the standard VCL modules shipped with security.vcl.

comotion commented 12 years ago

wait, did you say these are the only three errors and if you comment them out it works?

DaiYamatta commented 12 years ago

Dear comotion

wait, did you say these are the only three errors and if you comment them out it works?

yes!! runnnig.

test enviroment is Scientific Linux 6.1 x86_64. Need more information?

comotion commented 12 years ago

good to hear! 5a337108e1052c8b230e9c7b708504888d6010c9 pushes a fix that skips emitting rules for validateUtf8Enoding, since we have to implement that in the upcoming sec.vcl VMOD. %{tx.allowed_methods} is going to be trickier since I'll have to put something badass together in perl to resolve variables, while the regex "(?:(?:[\;|]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"|\;-\s]|$))" I dunno what's wrong here... the regex is straight from the breach ruleset and it seems to complain on valid regex..