Start your free trial in minutes
Get full Virtual Registry Premium and Artifact Firewall free for 30 days. Request your license, install Virtual Registry on your platform, and point a client at it to see two things on your own traffic: packages accelerating, and a package blocked by your policy at request time.
01. Request your license
Want to accelerate private packages while preserving your registries' access controls? Need artifacts stored on disk so they survive restarts? Try Virtual Registry Premium and Varnish Artifact Firewall free for 30 days with a self-service trial license.
Enter your details and your 30-day Virtual Registry Premium license file arrives in your inbox. No sales call required.
YOUR 30-DAY TRIAL
One license, two full-featured products
Your trial unlocks Virtual Registry Premium and Varnish Artifact Firewall together: the same layer that accelerates artifact delivery also verifies every package at request time. When the 30 days end, the two behave differently. Virtual Registry keeps running in Free mode with the feature set shown here. Artifact Firewall stops enforcing until it's licensed.
ARTIFACT FIREWALL
Full-featured for 30 days: request-time verification on every registry you enable, nothing extra to install. After the trial, enforcement turns off. Keep it on with a license: talk to an expert.
Trialing Artifact Firewall? It's part of the same license: you'll switch it on in step 3.
Next: Install Virtual Registry ↓ | ↑ All Steps
02. Install Virtual Registry
Pick the platform that fits your environment, run the one-line install, and follow the full guide on the documentation site. Each guide also shows how to supply your own configuration file for that platform, which is what you'll do in step 3. No need to wait for your license email: Virtual Registry runs in free mode right away, and step 3 unlocks Premium when your license arrives.
Docker
Fastest pathOne command, and Virtual Registry is listening on port 80 with the default configuration.
docker run -p 80:80 varnish/orcaKubernetes (Helm)
Deploy to your cluster with the official Helm chart, configured through values.yaml.
helm install varnish-orca oci://docker.io/varnish/orca-chartDebian / Ubuntu
DEBInstall the varnish-supervisor package from the Varnish package registry.
sudo apt -y install varnish-supervisorRHEL / CentOS
RPMInstall the varnish-supervisor package, then enable and start the service.
sudo yum -y install varnish-supervisorCHECK IT'S RUNNING
Virtual Registry answers 200 OK on its health-check endpoint regardless of host.
Troubleshooting →
curl http://localhost/healthz -INext: Configure and add your license ↓ | ↑ All Steps
03. Configure and add your license
Create your own config.yaml with the registry to accelerate, and point Virtual Registry at the license file from your trial email to unlock Premium. This example defines a single npm registry; the rest of this guide builds on it. On Docker and Kubernetes, supply this file as your own configuration rather than editing the default shipped with the image: the installation guides in step 2 show how for each platform.
# config.yaml varnish: http: - port: 80 license: file: /app/license.lic virtual_registry: registries: - name: npmjs default: true remotes: - url: https://registry.npmjs.org
Virtual Registry supports Docker, Go, Helm, and more: see the configuration reference →. On Docker, mount the license file into the container. On Kubernetes, load it as a secret and reference it in values.yaml. On Linux, place it at /etc/varnish-supervisor/license.lic and add the license section to default.yaml. License setup guide →
Enable Artifact Firewall
Artifact Firewall runs integrated with Virtual Registry. In the same config.yaml, switch it on for the npmjs registry you just defined with enable_firewall, and point the firewall section at two rulesets: a two-line policy of your own, and the OSV ruleset that blocks known-critical vulnerabilities automatically.
virtual_registry:
registries:
- name: npmjs
enable_firewall: true
remotes:
- url: https://registry.npmjs.org
firewall:
default_action: allow
mode: normal
rulesets:
- path: /app/demo-rules.yaml
- git:
name: npm-osv-rules
url: https://github.com/varnish/osv-rules.git
sub_path: rulesets/npm/all.yaml
Save this next to your config as demo-rules.yaml. This is your own policy rule, written in the same format as the OSV ruleset, and your rules can take precedence over OSV's by setting a higher priority. It's the policy you'll see enforced in step 4.
# demo-rules.yaml
id: getting-started-demo
rules:
- id: block-demo-package
match:
- type: npm
name: left-pad
action: deny
reason: Blocked by your policy
This example enforces from the start: mode: normal blocks non-compliant packages at request time, so the verification step in step 4 works out of the box. Prefer to evaluate a ruleset first? Start in mode: report to log its impact in the audit log without blocking anything. Artifact Firewall configuration reference →
Next: Point your clients at Virtual Registry ↓ | ↑ All Steps
04. Point your clients at Virtual Registry
Point npm at Virtual Registry and pull through it, no pipeline changes required. These examples assume npmjs.localhost resolves to 127.0.0.1; the subdomain tells Virtual Registry which registry to proxy. Running Virtual Registry remotely? Replace localhost with its address.
# Install a package through Virtual Registry
npm install express --registry=http://npmjs.localhost
# Already installed? Bypass npm's local cache so the request reaches Virtual Registry
npm install express --prefer-online --registry=http://npmjs.localhost
# See Artifact Firewall in action: your policy blocks this package at request time
npm install left-pad --registry=http://npmjs.localhost
The blocked install fails with a 403 that carries your rule's reason:
npm error code E403
npm error 403 403 Forbidden - GET http://npmjs.localhost/left-pad
npm error 403 Blocked by your policy
WHAT JUST HAPPENED
That last install was denied before a single byte reached your client: the demo rule from step 3, enforced at request time. Every package gets the same active verification – no quarantine window to wait out, no after-the-fact scan to catch up – and the OSV ruleset applies it automatically to known-critical vulnerabilities.
Artifact Firewall needs no client changes; the same endpoints serve every client. Using Docker, Go, or Helm clients? The tutorials in step 5 cover each one.
Next: Follow a tutorial ↓ | ↑ All Steps
05. Follow a tutorial and go deeper
Step-by-step guides for configuring your clients and getting the most out of Virtual Registry.
Ready to see the acceleration on your own traffic?
Request your 30-day Virtual Registry Premium license and be caching artifacts in minutes. No pipeline changes, no sales calls. Your trial unlocks Varnish Artifact Firewall too.