We've been making changes to how we organize and display our docs. Our work isn't done but we'd love your feedback.
Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Authenticating before returning a request

      Last updated October 18, 2018

    Performing authentication before returning a request is possible if your authentication is completely header-based and you do something like the following using custom VCL:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    
    sub vcl_recv {
    
      /* unset state tracking header to avoid client sending it */
      if (req.restarts == 0) {
        unset req.http.X-Authed;
      }
    
      if (!req.http.X-Authed) {
        /* stash the original URL and Host for later */
        set req.http.X-Orig-URL = req.url;
    
        /* set the URL to what the auth backend expects */
        set req.url = "/authenticate";
    
        /* Auth requests won't be cached, so pass */
        return(pass);
      }
    
      if (req.http.X-Authed == "true") {
        /* were authed, so proceed with the request */
        /* reset the URL */
        set req.url = req.http.X-Orig-URL;
    
      } else {
        /* the auth backend refused the request, so 403 the client */
        error 403;
      }
    
    #FASTLY recv
    
      ...etc...
    }
    
    sub vcl_deliver {
    
      /* if we are in the auth phase */
      if (!req.http.X-Authed) {
    
        /* if we got a 5XX from the auth backend, we should fail open */
        if (resp.status >= 500 && resp.status < 600) {
          set req.http.X-Authed = "true";
        }
    
        if (resp.status == 200) {
    
          /* the auth backend responded with 200, allow the request and restart */
          set req.http.X-Authed = "true";
        } else if (resp.status == 401) {
    
          return(deliver);
    
        } else {
    
          /* the auth backend responded with non-200, deny the request and restart */
          set req.http.X-Authed = "false";
        }
    
        restart;
      }
    
    #FASTLY deliver
    
      ...etc...
    }
    

    If you feel like you can cache the authentication, then add the appropriate headers to the hash in vcl_hash and return(lookup) instead of (pass).

    Back to Top