Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Purging
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Authenticating before returning a request

      Last updated October 18, 2018

    Performing authentication before returning a request is possible if your authentication is completely header-based and you do something like the following using custom VCL:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    
    sub vcl_recv {
    
      /* unset state tracking header to avoid client sending it */
      if (req.restarts == 0) {
        unset req.http.X-Authed;
      }
    
      if (!req.http.X-Authed) {
        /* stash the original URL and Host for later */
        set req.http.X-Orig-URL = req.url;
    
        /* set the URL to what the auth backend expects */
        set req.url = "/authenticate";
    
        /* Auth requests won't be cached, so pass */
        return(pass);
      }
    
      if (req.http.X-Authed == "true") {
        /* were authed, so proceed with the request */
        /* reset the URL */
        set req.url = req.http.X-Orig-URL;
    
      } else {
        /* the auth backend refused the request, so 403 the client */
        error 403;
      }
    
    #FASTLY recv
    
      ...etc...
    }
    
    sub vcl_deliver {
    
      /* if we are in the auth phase */
      if (!req.http.X-Authed) {
    
        /* if we got a 5XX from the auth backend, we should fail open */
        if (resp.status >= 500 && resp.status < 600) {
          set req.http.X-Authed = "true";
        }
    
        if (resp.status == 200) {
    
          /* the auth backend responded with 200, allow the request and restart */
          set req.http.X-Authed = "true";
        } else if (resp.status == 401) {
    
          return(deliver);
    
        } else {
    
          /* the auth backend responded with non-200, deny the request and restart */
          set req.http.X-Authed = "false";
        }
    
        restart;
      }
    
    #FASTLY deliver
    
      ...etc...
    }
    

    If you feel like you can cache the authentication, then add the appropriate headers to the hash in vcl_hash and return(lookup) instead of (pass).

    Back to Top