Server-Side IntegrationVarnish Enforcer

Installation

  1. Install the dependencies:
1   Debian and Ubuntu
2   apt install -y libcurl4 libapr1 libjansson4 libaprutil1 libpcre3

  1. Copy libvmod_px.so file to Varnish VMODS directory (this directory depends on Linux distribution: /usr/lib/varnish/vmods/ or /usr/lib64/varnish/vmods/).

  2. In your configuration .vcl file:

    • At the top of the file, add these two lines that will import the Enforcer:
      import px;
      import std;

  3. Add the following lines to the sub vcl_init block to enable the Enforcer and provide the required parameters:

    1new px_module = px.px();
    2
    3px_module.setconf("px_enabled", "true");
    4
    5px_module.setconf("px_appId", "ENTER APP ID HERE");
    6px_module.setconf("px_cookie_secret", "ENTER RISK COOKIE KEY HERE");
    7px_module.setconf("px_auth_token", "ENTER AUTHENTICATION TOKEN HERE");
    8
    9if (!px_module.setup()) {
    10    std.syslog(9, "Failed to init PX module");
    11}
    • px_enabled - Set to true to enable the Enforcer.
    • px_appId - Enter the HUMAN application ID.
      To retrieve the ID:
      1. Open the HUMAN Console.
      2. Go to Platform Settings > Applications.
      3. Copy the ID from the Application ID field.
    • px_cookie_secret - Enter a risk cookie key used by the cookie signing page.
      To generate a risk cookie key:
      1. Open the HUMAN Console.
      2. Go to Product Settings > Security Policy > Policy Information.
      3. Click Generate new.
    • px_auth_token - Enter a JWT authentication token for REST API.
      To retrieve the authentication token:
      1. Open the HUMAN Console.
      2. Go to Platform Settings > Applications > Tokens > Server Tokens.
      3. Click Copy token.

  4. Add the following section to the existing sub vcl_recv block. This section enables the Enforcer to process requests.

    1if (px_module.is_first_party(req.url)) {
    2    std.cache_req_body(100KB);
    3}
    4
    5px_module.process_request(req.url, req.method, regsub(req.proto, "^.*/", ""), client.ip, req.http.host);
    6
    7if (px_module.get_result() > 0) {
    8    return (synth(px_module.get_result()));
    9}

  5. Add a new block named vcl_synth. This block displays a CAPTCHA if a request is blocked.

    1sub vcl_synth {
    2    set resp.status = px_module.get_resp_status();
    3    px_module.set_resp_headers();
    4
    5    if (px_module.get_resp_body_len()) {
    6        synthetic(px_module.get_resp_body());
    7    }
    8
    9    return(deliver);
    10}

  6. Add a new (or edit an existing) block named vcl_deliver. This block is executed when a response is sent back to a client.

    1sub vcl_deliver {
    2    px_module.set_resp_headers();
    3    return(deliver);
    4}