Custom VCL for allowing requests

Last update: 2024-02-05
  • Created for:
  • Admin
    Developer

You can use a Fastly Edge ACL list with a custom VCL code snippet to filter incoming requests and allow access by IP address. The ACL list specifies the IP addresses to allow.

Create an allowlist to limit access to your Staging environment so that only requests from specified IP addresses for internal developers and approved external services are permitted. You can also create an allowlist to secure access to the Admin on Staging and Production environments.

The following example shows how to use a custom VCL snippet with a Fastly Access Control List (ACL) to secure access to the Admin for an Adobe Commerce on cloud infrastructure project environment. When you add the custom VCL snippet to the Cloud environment, Fastly allows only requests from IP addresses included in the ACL.

TIP

For Staging and integration environments that should not be publicly accessible, use the HTTP access control option available in the Cloud Console to manage access to the entire site by IP address.

Prerequisites:

  • Your environment must be configured to use the Fastly CDN. See Configure Fastly services.

  • Ensure that you are running the latest version of the Fastly CDN module for Magento 2. See Upgrade the Fastly Module.

  • Verify the environment configuration for the Fastly service. See Check Fastly caching.

  • You must have Admin credentials to access the Staging and Production environments.

  • List of client IP addresses to include on the allowlist

Create Edge ACL for allowing client IP addresses

Edge ACLs create IP address lists for managing access to your site. In this example, you create an Edge ACL and add the list of client IP addresses allowed to access the Admin for your project environment.

  1. Log in to the Admin.

  2. Click Stores > Settings > Configuration > Advanced > System.

  3. Expand Full Page Cache > Fastly Configuration > Edge ACL.

  4. Create the ACL container:

    • Click Add ACL.

    • On the ACL Container page, enter an ACL nameallowlist.

    • Select Activate after the change to deploy your changes to the version of the Fastly service configuration that you are editing.

    • Click Upload to attach the ACL to your Fastly service configuration.

  5. Add the list of IP addresses allowed to access the Admin:

    • Click the Settings icon for the allowlist ACL.

    • Add and save the IP Value for each client IP address.

    • Click Cancel to return to the system configuration page.

  6. Click Save Config.

  7. Refresh the cache according to the notification at the top of the page.

Create the custom VCL snippet to secure Admin access

The following custom VCL snippet code (JSON format) shows the logic to filter requests to the Admin and allow access if the client IP address matches an address in the allowlist ACL.

{
  "name": "allowlist",
  "dynamic": "0",
  "type": "recv",
  "priority": "5",
  "content": "if ((req.url ~ \"^/admin\") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 \"Forbidden\"; }"
}

Before creating a custom snippet from this example, review the values to determine whether you need to make any changes. Then enter each value into the respective fields, such as type into the Type field, content into the Content field.

  • name — Name for the VCL snippet. For this example, allowlist.

  • priority — Determines when the VCL snippet runs. The priority is 5 to immediately run and check whether an Admin requests are coming from an allowed IP address. The snippet runs before any of the default Magento VCL snippets (magentomodule_*) assigned a priority of 50. Set the priority for each custom snippet higher or lower than 50 depending on when you want your snippet to run. Snippets with lower priority numbers run first.

  • type — Specifies a location to insert the snippet in the versioned VCL code. This VCL is a recv snippet type which adds the snippet code to the vcl_recv subroutine below the default Fastly VCL code and above any objects.

  • content — The snippet of VCL code to run. In this example, the code filters requests to the Admin and allows access if the client IP address matches an address in the allowlist ACL. If the address does not match, the request is blocked with a 403 Forbidden error.

    If the URL for your Admin was changed, replace the sample value /admin with the URL for your environment. For example, /company-admin.

In the code sample, the condition !req.http.Fastly-FF is important when using Origin Shielding. Do not remove or edit this code.

After reviewing and updating the code for your environment, use either of the following methods to add the custom VCL snippet to your Fastly service configuration:

Add the custom VCL snippet

  1. Log in to the Admin.

  2. Click Stores > Settings > Configuration > Advanced > System.

  3. Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.

  4. Click Create Custom Snippet.

  5. Add the VCL snippet values:

    • Nameallowlist

    • Typerecv

    • Priority5

    • Add the VCL snippet content:

      if ((req.url ~ "^/admin") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 "Forbidden";}
      
  6. Click Create to generate the VCL snippet file with the name pattern type_priority_name.vcl, for example recv_5_allowlist.vcl

  7. After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section to add the file to the Fastly service configuration.

  8. After the upload completes, refresh the cache according to the notification at the top of the page.

Fastly validates the updated version of the VCL code during the upload process. If the validation fails, edit the custom VCL snippet to fix the issue. Then, upload the VCL again.

Modify the custom VCL snippet

  1. Log in to the Admin.

  2. Click Stores > Settings > Configuration > Advanced > System.

  3. Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.

    Manage custom VCL snippets

  4. In the Action column, click the settings icon next to the snippet to edit.

  5. After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section.

  6. After the upload completes, refresh the cache according to the notification at the top of the page.

WARNING

The Custom VCL snippets UI option shows only the snippets added through the Adobe Commerce Admin. If you add snippets using the Fastly API, use the API to manage them.

Delete the custom VCL snippet

  1. Log in to the Admin.

  2. Click Stores > Settings > Configuration > Advanced > System.

  3. Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.

    Manage custom VCL snippets

  4. In the Action column, click the trash icon next to the snippet to delete.

  5. On the next modal window, click DELETE and activate a new version.

WARNING

The Custom VCL snippets UI option shows only the snippets added through the Adobe Commerce Admin. If you add snippets using the Fastly API, use the API to manage them.

On this page