LOG IN SIGN UP
Documentation

Connecting to origins over TLS

We provide two ways to use TLS to communicate to your origin servers.

The simple way

  1. Log in to the Fastly web interface and click the Configure link.
  2. From the service menu, select the appropriate service.
  3. Click the Edit configuration button and then select Clone active. The service version page appears.
  4. Click the Origins tab. The Origins page appears.
  5. Click the Create host button. The Create a new host page appears.

    the Create a new host page

  6. Fill out the Create a new host fields as follows:

    • In the Address field, type the address of your secure server (for example, origin.example.com), and in the port field type 443.
    • Leave the Shielding, Health check, and Auto load balance controls set to their default values.
    • In the Description field, type the name of your server (for example, My Origin Server). This name is displayed in the Fastly web interface.
  7. Click the Create button.

  8. Click the Activate button to deploy your configuration changes.

The detailed way

To use a different port, or for a little more control over the TLS connections, follow these steps.

  1. Log in to the Fastly web interface and click the Configure link.
  2. From the service menu, select the appropriate service.
  3. Click the Edit configuration button and then select Clone active. The service version page appears.
  4. Click the Origins tab. The Origins page appears.
  5. Click the Create host button. The Create a new host page appears.

    the Create a new host page

  6. Fill out the Create a new host fields as follows:

    • In the Address field, type the address of your secure server (for example, origin.example.com), and in the port field type a port number (for example, 8443).
    • Leave the Shielding, Health check, and Auto load balance controls set to their default values.
    • In the Description field, type the name of your server (for example, My Origin Server). This name is displayed in the Fastly web interface.
  7. Click the Create button.

  8. Click the TLS Options link next to the host you just created. The TLS options page appears.

  9. From the Connect to backend using TLS menu, select Yes.

  10. From the Verify certificate menu, select Yes.

  11. In the Certificate Hostname field, type the hostname associated with your TLS certificate. This value is matched against the certificate common name (CN) or a subject alternate name (SAN) depending on the certificate you were issued. For example, if your certificate's CN field is www.example.com, type that value for your hostname. If you leave this field blank, the system will use the default host information displayed below this field.

  12. If you are specifying a TLS CA certificate, see the section below.

  13. Click the Save button. Even if you leave the Certificate Hostname field blank to use the default information, you must click the Save button to verify the certificate.

  14. Click the Activate button to deploy your configuration changes.

And that's all you need to do. Everything else is optional, but just in case you'd like to set them, we've included the information below.

Setting the TLS hostname

Normally we check the server certificate against the hostname portion of the address for your origin entered in the Create a new host window. To have Fastly verify the certificate using a different hostname, specify it via the SNI Hostname field under Advanced Options.

This information also gets sent to the server in the TLS handshake. If you are using Server Name Indication (SNI) to put multiple certificates on your origin, specifying it in the SNI Hostname field will select which one is used.

Specifying a TLS CA certificate

If you're using a certificate that is either self-signed or signed by a Certificate Authority (CA) not commonly recognized by major browsers (and unlikely to be in the Ubuntu bundle that we use), you can provide the certificate in PEM format via the TLS client certificate field under Advanced Options. The PEM format looks like this:

a PEM form certificate

Specifying a TLS client certificate and key

To ensure TLS connections to your origin come from Fastly and aren't random, anonymous requests, set your origin to verify the client using a client certificate. Simply paste the certificate and private key in PEM form into the appropriate text boxes on the TLS options page.

Then configure your backend to require client certificates and verify them against the CA cert they were signed with. Here are some ways of doing that:

Specifying acceptable TLS protocol versions

If your origin server is configured with support for modern TLS protocol versions, you can customize the TLS protocols Fastly will use to connect to it by setting a Minimum TLS Version and Maximum TLS Version under Advanced Options. We recommend setting both to the most up-to-date TLS protocol, currently 1.2, if your origin can support it.

Use the openssl command to verify your origin supports a given TLS protocol version. For example:

openssl s_client -connect origin.example.com:443 -tls1_2

Replace -tls1_2 with tls1_1 and tls1_0 to test other protocol versions. Fastly does not support SSLv2 or SSLv3.

Specifying acceptable TLS cipher suites

Fastly supports configuring the OpenSSL cipher suites used when connecting to your origin server. This allows you to turn specific cipher suites on or off based on security properties and origin server support. The Ciphersuites setting under Advanced Options accepts an OpenSSL formatted cipher list. We recommend using the strongest cipher suite your origin will support as detailed by the Mozilla SSL Configuration Generator.

Use the openssl command to verify your origin supports a given cipher suite. For example:

openssl s_client -connect origin.example.com:443 -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256

Replace -cipher ECDHE-RSA-AES128-GCM-SHA256 with the cipher suite to test.


Back to Top