Use Fastly to deny access for an entire website
- Topics:
- Cloud
- Configuration
- Site Management
- System
CREATED FOR:
- Intermediate
- Experienced
- Admin
- Developer
- User
Learn how to restrict access to your Adobe Commerce Cloud site using Fastly Edge ACLs and custom VCL snippets. This step-by-step guide helps you secure your pre-launch environment by allowing only specific IP addresses, ensuring your development site stays private.
What you’ll learn
Restrict Adobe Commerce Site Access with Fastly Edge ACLs & Custom VCL | Secure Pre-Launch Environments
Who is this video for?
- DevOps Engineer
- Adobe Commerce Developer
- Site Reliability Engineer
Hi, this is Russell with Adobe Commerce. Today, I’m going to show you how to restrict access to your entire Adobe Commerce Cloud website using a Fastly Edge ACL and a custom VCL snippet.
So, the reason why you might need to do this is you’ll have a brand new website and it’s still under development. While we’re in this pre-launch phase, we want to make sure that only specific IPs can access the site so they can do their task, things like fixing these missing images and getting the homepage content ready.
So, our first step is we need to create a new Edge ACL. So I wanted to get things ready for this demo, so I went ahead and created this new Edge ACL called AllowList. And the name is very important, we use it in our custom VCL later, so make note of that. So right now, I’m on an Adobe VPN and it just so happens to be one that’s in my AllowList. This isn’t complicated, just the IP address and a comment.
I’m going to use a curl command to get my current IPV4. And the command is curl and then ifconfig.co.
So now that I have my value, I’m going to go back to my AllowList and it does match one of my entries. And due to this match, this is why I’m allowed to visit the site. So I’m going to prove it by picking on a different VPN that has a different IP.
I’ll go ahead and run that same curl request and I’m going to get a different IP.
And when I go back to my homepage and I try to reload it, I’ll get an error of 403 forbidden.
So I guess it works, that’s great. So now that we’ve seen this and we can see that we can restrict access to the entire website using a simple, fastly VCL, now you need to see what this VCL looks like. For the first, it’s the name. And for this, it’s not important. The second is the type and it’s RECV. For the priority, just pick a number that’s less than 100. And it’s also good to know that the lower the numbers, they execute first. Now the good stuff, the VCL field. This has two conditions. The first is a check to see if the client IP is not in our edge ACL called AllowList. The second is a check against a special header that is unique to Fastly. And for this session, I’m not really going to go too deep into this Fastly header. Just know that it has something to do with your request and detecting a loop. So if you’re curious, if we have other documentation for things like how can we limit access to a single area of the website, let’s say that path to our admin. Yes, we do. And it is very similar to this, but the VCL is just a little bit more complicated. And you can find this topic in Experience League. There’s also another topic in Experience League that you can proactively block requests using Fastly. And this might happen due to compliance regulations where you need to block requests from an entire country or perhaps an individual malicious IP. Both of these are very well documented in Experience League. So this shows you that using Fastly provides you many options to meet your unique needs. Well, that’s it for this session on Fastly’s edge ACL and custom VCL snippets. Please continue to use Experience League to learn more about Adobe Commerce, as well as all of the other Adobe products.
Code Sample
This is an example of the VCL used
if ( !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 "Forbidden";}