Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    About ACLs

      Last updated September 12, 2018

    Malicious actors can present themselves in a variety of ways on the internet. Automated tools can scrape information from your website, bots can probe your application for vulnerabilities, and hackers can exploit them. Using access control lists (ACLs) at the edge can help prevent the offending IP addresses they use from ever accessing your information resources.

    When ACLs can be useful

    Access control lists at the edge might be useful for:

    How ACLs work

    ACLs have two parts: an ACL container and the ACL entries within it. In combination, containers and entries allow you to store a list of permissions that Varnish will use to grant or restrict access to URLs within your services.

    Once you attach an ACL container to a version of your service and that service is activated, the data in the container (the ACL entries) becomes "versionless." This means that once your service is activated, any further changes to the data within, such as the addition of ACL entries, will become effective immediately.

    How to create ACLs

    To create an ACL at the edge and use it within your service, start by creating an empty ACL container and then add its entries in a working version of a service that's unlocked and not yet activated. You can create ACLs in several ways:

    How to use ACLs

    After you've used the Fastly API to create an ACL and add ACL entries, the VCL for the ACLs and ACL entries will be automatically generated, as shown below. For example, this VCL shows an ACL called office_ip_ranges has been created:

    1
    2
    3
    4
    5
    6
    7
    
    # This VCL is automatically generated when you create an ACL container and entries
    # using the Fastly API. In this example, the ACL name is office_ip_ranges.
    acl office_ip_ranges {
      "192.0.2.0"/24;                              # internal office
      "198.51.100.4";                              # remote VPN office
      "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff";    # ipv6 address remote
    }
    

    Once created, you can add logic to interact with your ACL at the edge by uploading custom VCL. You could use the office_ip_ranges ACL as an allow list by uploading the following custom VCL:

    1
    2
    3
    4
    5
    6
    
    sub vcl_recv {
      # block all requests to Admin pages from IP addresses not in office_ip_ranges
      if (req.url ~ "^/admin" && ! (client.ip ~ office_ip_ranges)) {
        error 403 "Forbidden";
      }
    }
    

    With this VCL, access to /admin is denied for everyone by default, but the IP addresses listed in the ACL are allowed to access /admin without restriction.

    Limitations

    When working with ACL containers and entries specifically, remember the following:

    When creating and manipulating ACLs at the edge, keep the following limitations in mind as you develop your service configurations:

    Back to Top