Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Purging
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Manually creating access control lists

      Last updated November 12, 2019

    Varnish allows you to use access control lists (ACLs), a feature that enables fast matching of a client's IP address against a list of defined IP addresses. An ACL looks like this:

    1
    2
    3
    4
    5
    6
    
    # Who is allowed access ...
    acl local {
      "localhost";
      "192.0.2.0"/24; /* and everyone on the local network */
      ! "192.0.2.1"/32; /* except for the dial-in router */
    }
    

    Defining an ACL

    Using ACLs requires you to create and add custom VCL to Fastly's boilerplate VCL. To define an ACL in your Fastly configuration:

    1. Read about how to mix and match custom VCL with Fastly VCL.
    2. Create a custom VCL file with your ACL definitions included in the appropriate location. Use the example shown below as a guide. You can reference the ACL in your configuration (vcl_recv) using a match operation that can be located above or below #FASTLY recv. The placement only matters for the order of operations within Varnish's execution of your configuration.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      
       # If you are using the "include" keyword
       include "myACL1.vcl";
      
       # And/or if you are using an actual ACL block
       acl local {
         "localhost";
         "192.0.2.0"/24; /* and everyone on the local network */
         ! "192.0.2.1"/32; /* except for the dial-in router */
       }
      
       sub vcl_recv {
         # block any requests to Admin pages not from local IPs
         if (req.url ~ "^/admin" && req.http.Fastly-Client-IP !~ local) {
           error 403 "Forbidden";
         }
       }
      
    3. Upload the file in the Varnish Configuration area of your service.
    Back to Top