LOG IN SIGN UP
Documentation

Connecting to origins over TLS

We offer two ways to use TLS to communicate to your origin servers.

The simple way

  1. Log in to the Fastly application.
  2. Click the configure tab to access the control panel.

    the configure tab

  3. Select the appropriate service from the Service menu.

  4. Click the blue Configure button to the right of the service name.

  5. Click the Hosts section.

  6. In the Backends area, click the New button to create a new backend for your non-secure server. The New Backend window appears.

    the New Backend window

  7. Fill out the New Backend window as follows:

    • In the Address field, type the address of your secure server (for example, origin.example.com).
    • In the Port field, type 443.
    • In the Name field, type the name of your server (for example, My Origin Server).
    • Leave the Health Check, Auto Load Balance, Weight, and Shielding controls set to their default values.
  8. Click the Create button. The server appears in the Backends area.

  9. If there are multiple backend servers in your service, be sure to specify a default host.

The detailed way

To use a different port, or for a little more control over the TLS connections, follow these steps.

  1. Log in to the Fastly application.
  2. Click the configure tab to access the control panel.

    the configure tab

  3. Select the appropriate service from the Service menu.

  4. Click the blue Configure button to the right of the service name.

  5. Click the Hosts section.

  6. In the Backends area, click the New button to create a new backend for your non-secure server. The New Backend window appears.

    the New Backend window

  7. Fill out the New Backend window as follows:

    • In the Address field, type the address of your secure server (for example, origin.example.com).
    • In the Port field, type a port number. For example, 8443.
    • In the Name field, type the name of your server (for example, My Origin Server).
    • Leave the Health Check, Auto Load Balance, Weight, and Shielding controls set to their default values.
  8. Click the Create button. The server appears in the Backends area.

  9. Click the gear icon next to the Backend you just created.

  10. From the menu that appears, select TLS Options. The TLS Options window appears.

  11. From the Use TLS for Connection menu, select Yes.

  12. From the Verify Certificate menu, select Yes.

  13. Click the Update button.

  14. If there are multiple backend servers in your service, be sure to specify a default host.

  15. Activate a new version of the service to complete the configuration changes.

And that's all you really need to do. Everything else is optional, but just in case you'd like to set them, we've included the information below.

Setting the TLS hostname

Normally we check the server certificate against the hostname portion of the address for your origin entered in the New Backend window. To have Fastly verify the certificate using a different hostname, specify it via the Certificate Hostname and SNI Hostname fields in the TLS Options window.

This information also gets sent to the server in the TLS handshake. If you are using Server Name Indication (SNI) to put multiple certificates on your origin, specifying it in the SNI Hostname field will select which one is used.

Specifying a TLS CA certificate

If you're using a certificate that is either self-signed or signed by a Certificate Authority (CA) not commonly recognized by major browsers (and unlikely to be in the Ubuntu bundle that we use), you can provide the certificate in PEM format via the TLS CA Certificate field in the TLS Options window. The PEM format looks like this:

a PEM form certificate

Specifying acceptable TLS protocol versions

If your origin server is configured with support for modern TLS protocol versions, you can customize the TLS protocols Fastly will use to connect to it by setting a Minimum TLS Version and Maximum TLS Version in the via the TLS Options window. We recommend setting both to the most up-to-date TLS protocol, currently 1.2, if your origin can support it.

Use the openssl command to verify your origin supports a given TLS protocol version. For example:

openssl s_client -connect origin.example.com:443 -tls1_2

Replace -tls1_2 with tls1_1 and tls1_0 to test other protocol versions. Fastly does not support SSLv2 or SSLv3.

Specifying acceptable TLS cipher suites

Fastly supports configuring the OpenSSL cipher suites used when connecting to your origin server. This allows you to turn specific cipher suites on or off based on security properties and origin server support. The Allowed Ciphersuites setting in the TLS Options window accepts an OpenSSL formatted cipher list. We recommend using the strongest cipher suite your origin will support as detailed by the Mozilla SSL Configuration Generator.

Use the openssl command to verify your origin supports a given cipher suite. For example:

openssl s_client -connect origin.example.com:443 -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256

Replace -cipher ECDHE-RSA-AES128-GCM-SHA256 with the cipher suite to test.

Specifying a TLS client certificate and key

To ensure TLS connections to your origin come from Fastly and aren't random, anonymous requests, set your origin to verify the client using a client certificate. Simply paste the certificate and private key in PEM form into the appropriate text boxes on the TLS Options window.

Then configure your backend to require client certificates and verify them against the CA cert they were signed with. Here are some ways of doing that: