Manually creating access control lists

      Last updated November 12, 2019

    Varnish allows you to use access control lists (ACLs), a feature that enables fast matching of a client's IP address against a list of defined IP addresses. An ACL looks like this:

    1
    2
    3
    4
    5
    6
    
    # Who is allowed access ...
    acl local {
      "localhost";
      "192.0.2.0"/24; /* and everyone on the local network */
      ! "192.0.2.1"/32; /* except for the dial-in router */
    }
    

    Defining an ACL

    Using ACLs requires you to create and add custom VCL to Fastly's boilerplate VCL. To define an ACL in your Fastly configuration:

    1. Read about how to mix and match custom VCL with Fastly VCL.
    2. Create a custom VCL file with your ACL definitions included in the appropriate location. Use the example shown below as a guide. You can reference the ACL in your configuration (vcl_recv) using a match operation that can be located above or below #FASTLY recv. The placement only matters for the order of operations within Varnish's execution of your configuration.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      
       # If you are using the "include" keyword
       include "myACL1.vcl";
      
       # And/or if you are using an actual ACL block
       acl local {
         "localhost";
         "192.0.2.0"/24; /* and everyone on the local network */
         ! "192.0.2.1"/32; /* except for the dial-in router */
       }
      
       sub vcl_recv {
         # block any requests to Admin pages not from local IPs
         if (req.url ~ "^/admin" && req.http.Fastly-Client-IP !~ local) {
           error 403 "Forbidden";
         }
       }
      
    3. Upload the file in the Varnish Configuration area of your service.
    Back to Top