Tracking your origin's name, IP, and port

Fastly provides three values captured in vcl_fetch that allow you to see and track origin information:

While these three values are immensely useful, you may want to use this information within vcl_deliver for things like response information or remote log streaming. You can do this by:

  1. Creating cache headers that capture the origin information.
  2. Adding a response header to the log format to capture the response output.

Capturing the Origin Information

To track your origin's name, IP, and port, you need to create two separate headers: one that captures the origin name and another that captures the origin's IP and port (e.g., 80, 443).

Create the header that captures the origin name by launching the Fastly application and navigating to Content → Headers. Then, click the New button to display the New Header window.

the New Header window

Set this first header's controls as follows:

Once you've set the controls, click Create to add the first new header.

Create the second header to capture the IP and port for your origin by navigating again to Content → Headers. Then, click the New button to display the New Header window a second time.

the New Header window with the second header

Set the second header's controls as follows:

Once you've set the controls, click Create to add the second new header.

Adding a Response Header to the Log Format

The values captured in a header within vcl_fetch will flow to vcl_deliver. For example, there will exist a resp.http.Backend-Name header in vcl_deliver that corresponds to beresp.http.Backend-Name in vcl_fetch. By default, the response header will be included in the response output.

Unfortunately, with remote log streaming, you cannot add the vcl_fetch header, beresp.http.Header-Name, to the log format. However, you can add its cousin in vcl_deliver, resp.http.Header-Name.

Add resp.http.Header-Name to the log format that you configured by following the instructions in the Remote Log Streaming guide. Using the example above, you would add resp.http.Backend-Name and resp.http.Backend-IP-Port.

Important Notes

Regarding Shielding

Notice within the example the field Ignore If Set is set to Yes. With shielding, the VCL is executed twice, once on the shield and again on the edge node. This setting will display the original information from the origin without overriding it on the edge node.

You can also set the field Ignore If Set to No with shielding enabled. In this scenario, the edge node captures the shield's information within beresp.backend.name, beresp.backend.ip, and beresp.backend.port.

If remote log streaming is configured, remember it is executed twice. Thus the first log (from the shield node) will have the origin's information and the second log (from the edge node) will have the shield's information.

Regarding Security

For security purposes, you may want to track the information in logging but not display all or some of it in the response. This is possible but requires custom VCL to strip the information after sending the log line from the edge node.

Don't forget to read our guide to using custom VCL before you begin. Remember to include the entire boilerplate if you do not intend to override the Fastly default settings.

Then add the following snippet within vcl_deliver with the headers you want to strip. Using our example above, we continue to send the value of the origin's name within the response. We strip the origin's IP and port from the response information.

sub vcl_deliver {
#FASTLY deliver

  if (!req.http.Fastly-FF) {
    unset resp.http.Backend-IP-Port;

Back to Top