Manually creating access control lists

  Last updated 2019-11-12

Varnish allows you to use access control lists (ACLs), a feature that enables fast matching of a client's IP address against a list of defined IP addresses. An ACL looks like this:

1# Who is allowed access ...
2acl local {
3  "localhost";
4  "192.0.2.0"/24; /* and everyone on the local network */
5  ! "192.0.2.1"/32; /* except for the dial-in router */
6}

Defining an ACL

Using ACLs requires you to create and add custom VCL to Fastly's boilerplate VCL. To define an ACL in your Fastly configuration:

  1. Read about how to mix and match custom VCL with Fastly VCL.

  2. Create a custom VCL file with your ACL definitions included in the appropriate location. Use the example shown below as a guide. You can reference the ACL in your configuration (vcl_recv) using a match operation that can be located above or below #FASTLY recv. The placement only matters for the order of operations within Varnish's execution of your configuration.

    1# If you are using the "include" keyword
    2include "myACL1.vcl";
    3

    4# And/or if you are using an actual ACL block
    5acl local {
    6  "localhost";
    7  "192.0.2.0"/24; /* and everyone on the local network */
    8  ! "192.0.2.1"/32; /* except for the dial-in router */
    9}
    10

    11sub vcl_recv {
    12  # block any requests to Admin pages not from local IPs
    13  if (req.url ~ "^/admin" && req.http.Fastly-Client-IP !~ local) {
    14    error 403 "Forbidden";
    15  }
    16}

  3. Upload the file in the Varnish Configuration area of your service.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2023