Getting started
Configuration
Security
Integrations
Diagnostics
Account info
Reference
Basics
- About the web interface controls
- Always-on DDoS mitigation
- Browser recommendations when using the Fastly web interface
- Content and its delivery
- Fastly POP locations
- Getting started with Fastly
- How caching and CDNs work
- How Fastly's CDN Service works
- HTTP status codes cached by default
- Self-provisioned Fastly services
- Sign up and create your first service
- Working with services
Domains & Origins
Performance
Configuration
Basics
Dictionaries
Domains & Origins
- Changing origins based on user location
- Connecting to origins
- Enabling global POPs
- Failover configuration
- IPv6 support
- Maintaining separate HTTP and HTTPS requests to origin servers
- Routing assets to different origins
- Setting up redundant origin servers
- Specifying an override host
- Using Fastly with apex domains
Request settings
Cache settings
Headers
Responses
Performance
- About Dynamic Servers
- Authenticating URL purge requests via API
- Cache control tutorial
- Caching configuration best practices
- Controlling caching
- Creating and using pools with Dynamic Servers
- Creating and using server entries with Dynamic Servers
- Enabling API caching
- Enabling automatic gzipping
- Failure modes with large files
- Getting started with surrogate keys
- HTTP/2 server push
- Implementing API cache control
- Large File Support
- Logging purge requests
- Making query strings agnostic
- Purging API cache with surrogate keys
- Request collapsing
- Serving stale content
- Setting Surrogate-Key headers based on a URL
- Setting Surrogate-Key headers for Amazon S3 origins
- Single purges
- Soft purges
- Streaming Miss
- Wildcard purges
Custom VCL
- Accept-Language header VCL features
- Authenticating before returning a request
- Basic authentication
- Creating location-based tagging
- Custom responses that don't hit origin servers
- Delivering different content to different devices
- Enabling URL token validation
- Guide to VCL
- Isolating header values without regular expressions
- Manipulating the cache key
- IP geolocation variables: Migrating to the new dataset
- Overriding which IP address the geolocation features use
- Response Cookie handling
- Support for the Edge-Control header
- Understanding the different PASS action behaviors
- Using edge side includes (ESI)
- VCL regular expression cheat sheet
Image optimization
Video
Security
Access Control Lists
Monitoring and testing
Securing communications
TLS
Web Application Firewall
Integrations
Logging endpoints
- Log streaming: Amazon S3
- Log streaming: Microsoft Azure Blob Storage
- Log streaming: Cloud Files
- Log streaming: Datadog
- Log streaming: DigitalOcean Spaces
- Log streaming: FTP
- Log streaming: Google BigQuery
- Log streaming: Google Cloud Storage
- Log streaming: Honeycomb
- Log streaming: Kafka
- Log streaming: Log Shuttle
- Log streaming: LogDNA
- Log streaming: Logentries
- Log streaming: Loggly
- Log streaming: Heroku's Logplex
- Log streaming: OpenStack
- Log streaming: Papertrail
- Log streaming: Scalyr
- Log streaming: SFTP
- Log streaming: Splunk
- Log streaming: Sumo Logic
- Log streaming: Syslog
Non-Fastly services
Diagnostics
Streaming logs
Debugging techniques
Common errors
Account info
Account management
Billing
User access and control
Reference
Recently viewed Clear
Authenticating before returning a request
Last updated October 18, 2018
Performing authentication before returning a request is possible if your authentication is completely header-based and you do something like the following using custom VCL:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
sub vcl_recv {
/* unset state tracking header to avoid client sending it */
if (req.restarts == 0) {
unset req.http.X-Authed;
}
if (!req.http.X-Authed) {
/* stash the original URL and Host for later */
set req.http.X-Orig-URL = req.url;
/* set the URL to what the auth backend expects */
set req.url = "/authenticate";
/* Auth requests won't be cached, so pass */
return(pass);
}
if (req.http.X-Authed == "true") {
/* were authed, so proceed with the request */
/* reset the URL */
set req.url = req.http.X-Orig-URL;
} else {
/* the auth backend refused the request, so 403 the client */
error 403;
}
#FASTLY recv
...etc...
}
sub vcl_deliver {
/* if we are in the auth phase */
if (!req.http.X-Authed) {
/* if we got a 5XX from the auth backend, we should fail open */
if (resp.status >= 500 && resp.status < 600) {
set req.http.X-Authed = "true";
}
if (resp.status == 200) {
/* the auth backend responded with 200, allow the request and restart */
set req.http.X-Authed = "true";
} else if (resp.status == 401) {
return(deliver);
} else {
/* the auth backend responded with non-200, deny the request and restart */
set req.http.X-Authed = "false";
}
restart;
}
#FASTLY deliver
...etc...
}
NOTE: Be sure to change /authenticate to whatever your authentication endpoint is.
WARNING: Caching authentication might result in users receiving responses intended for other authenticated users. For example, if you cache the response from the /authenticate endpoint for User A, User B could receive the same response when logging in.
If you feel like you can cache the authentication, then add the appropriate headers to the hash in vcl_hash and return(lookup) instead of (pass).