Compute@Edge log streaming: HTTPS

Fastly's Real-Time Log Streaming feature for Compute@Edge services can send log files to an HTTPS endpoint.

Prerequisites

When sending logs to a HTTPS endpoint, Fastly requires proof that you control the domain name specified in the URL field by using a HTTP challenge on a well-known path. If, for example, your URL field is foo.example.com/some/log/path, then the following challenge path must send a 200 response:

foo.example.com/.well-known/fastly/logging/challenge

Responses must include the hex representation of the SHA-256 of your Fastly service ID and it must appear on its own line in the response. For example:

1
2
3
$ sha256sum <SERVICEID>

ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c

If multiple service IDs are used, multiple hex(sha256) lines can be added to that challenge body. In addition, an asterisk (*) can be used on a line to allow any service to post to the HTTP endpoint. For example:

1
2
3
ef537f25c895bfa782526529a9b63d97aa631564d5d789c2b765448c8635fb6c
06ae6402e02a9dad74edc71aa69c77c5747e553b0840bfc56feb7e65b23f0f61
*

Adding HTTPS as a logging endpoint

Follow these instructions to add HTTPS as a logging endpoint:

  1. Review the information in our Setting Up Remote Log Streaming guide.

  2. Click the HTTPS Create endpoint button. The Create an HTTPS endpoint page appears.
  3. Fill out the Create an HTTPS endpoint fields as follows:
    • In the Name field, enter the name you specified in your Compute@Edge code. For example, in our Rust code example, the name is my_endpoint_name.
    • In the URL field, enter the URL to which log data will be sent (e.g., https://logs.example.com/).
    • In the Maximum logs field, optionally enter the maximum number of logs to send as a batch.
    • In the Maximum bytes field, optionally enter the maximum size of a log batch.
  4. Click the Advanced options link of the Create an HTTPS endpoint page. The Advanced options appear.
  5. Fill out the Advanced options of the Create an HTTPS endpoint page as follows:
    • In the Content type field, optionally enter the content type to use when sending logs (e.g., application/json).
    • In the Custom header name field, optionally enter a custom header to use when sending logs (e.g., Authorization).
    • In the Custom header value field, optionally enter a custom header value to use when sending logs (e.g., Bearer <token>).
    • In the Method area, optionally select the appropriate HTTP method to use.
    • In the JSON log entry format area, select the appropriate log entry format to use. The JSON log entry format enforces valid JSON formatting. Selecting Array of JSON wraps JSON log batches in an array. Selecting Newline delimited places each JSON log entry onto a new line in a batch.
    • In the Select a log line format area, select the log line format for your log messages. Our guide on changing log line formats provides more information.
  6. Fill out the Using your own certificate authority (CA) section of the Advanced options area as follows:
    • In the TLS Hostname field, optionally enter the hostname used to verify the server's certificate. This can be either the Common Name (CN) or Subject Alternative Name (SAN). If the hostname is not specified, the hostname of the first broker in the Brokers field will be used. This field only appears when you select Yes from the Use TLS menu.
    • In the TLS CA certificate field, optionally copy and paste the certification authority (CA) certificate used to verify that the origin server's certificate is valid. The certificate you upload must be in PEM format. Consider uploading the certificate if it's not signed by a well-known certification authority. This value is not required if your TLS certificate is signed by a well-known authority. This field only appears when you select Yes from the Use TLS menu.
    • In the TLS client certificate field, optionally copy and paste the TLS client certificate used to authenticate to the origin server. The TLS client certificate you upload must be in PEM format and must be accompanied by a client certificate. A TLS client certificate allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
    • In the TLS client key field, optionally copy and paste the TLS client key used to authenticate to the backend server. The TLS client key you upload must be in PEM format and must be accompanied by a TLS client certificate. A TLS client key allows your server to authenticate that Fastly is performing the connection. This field only appears when you select Yes from the Use TLS menu.
  7. Click the Create button to create the new logging endpoint.
  8. Click the Activate button to deploy your configuration changes.

Firewall considerations

Your HTTPS endpoint may have limited security features. For this reason, it's best to create a firewall for your HTTP endpoint server and only accept TCP traffic on your configured port from our address blocks. Our list of IP address blocks is dynamic, so we recommend programmatically obtaining the list whenever possible.

Back to Top