Cache / Proxy
Varnish Cache Blocklist Tutorial
Block VPN and proxy IPs in Varnish Cache using VCL ACL blocks populated from a TXT/CSV blocklist file, filtering traffic before it hits your backend.
Steps
- 1
Download the blocklist
Fetch the TXT blocklist from your AntiProxies dashboard.
- 2
Generate VCL ACL block
Convert the flat IP list into a Varnish ACL block using a shell script. The generated .vcl file is then included by your main VCL.
- 3
Add sub vcl_recv logic
In your main VCL vcl_recv subroutine, check the client IP against the ACL and return a 403 synthetic response for matches.
- 4
Reload Varnish VCL
Use varnishadm vcl.load and vcl.use to hot-reload the new VCL without restarting Varnish or dropping connections.
Need the blocklist files?
Download free sample data or subscribe for daily-updated lists.
Free SampleGenerated ACL file
VCL ACL block – included by the main VCL. Add your blocked IPs here.
acl blocked_ips {
"1.2.3.4";
"5.6.7.0"/24;
"10.0.0.1";
"192.168.100.0"/22;
}Main VCL – block in vcl_recv
Include the ACL and deny matching clients with a synthetic 403 response.
vcl 4.1;
include "/etc/varnish/blocklists/antiproxies.vcl";
backend default {
.host = "127.0.0.1";
.port = "3000";
}
sub vcl_recv {
if (client.ip ~ blocked_ips) {
return (synth(403, "Access denied"));
}
}
sub vcl_synth {
if (resp.status == 403) {
set resp.http.Content-Type = "text/plain; charset=utf-8";
synthetic("Access denied");
return (deliver);
}
}Frequently asked questions
Can Varnish hot-reload without dropping cached objects?
Does client.ip work correctly behind a CDN?
Want to see what's in the database?
Download once, query as many times as you need. €99/year for all 22 databases, unlimited servers, and a full year of monthly updates. No usage limits, no per-query fees, no data leaving your servers.