LOG IN SIGN UP
Documentation

Using access control lists

Varnish allows you to use Access Control Lists (ACLs), a feature that enables fast matching of a client's IP address against a list of defined IP addresses. An ACL looks like this:

# Who is allowed access ...
acl local {
  "localhost";
  "192.168.1.0"/24; /* and everyone on the local network */
  ! "192.168.1.23"; /* except for the dial-in router */
}

Defining an ACL

Using ACLs requires you to create and add custom VCL to Fastly's boilerplate VCL. To define an ACL in your Fastly configuration:

  1. Ask support to enable custom VCL uploading for your account.
  2. Read about how to mix and match custom VCL with Fastly's VCL.
  3. Create a custom VCL file with your ACL definitions included in the appropriate location. Use the example shown below as a guide. You can reference the ACL in your configuration (vcl_recv) using a match operation which can be located above or below #FASTLY recv - the placement only matters for the order of operations within Varnish's execution of your configuration.

    # If you are using the "include" keyword
    include "myACL1.vcl";
    
    # And/or if you are using an actual ACL block
    acl local {
      "localhost";
      "192.168.1.0"/24; /* and everyone on the local network */
      ! "192.168.1.23"; /* except for the dial-in router */
    }
    
    sub vcl_recv {
      # block any requests to Admin pages not from local IPs
      if (req.url ~ "^/admin" && client.ip !~ local) {
        error 403 "Forbidden";
      }
    }
    
  4. Upload the file in the Varnish Configuration area of your service.

Shielding Caveats

Be aware that if you've enabled shielding, you need to ensure the client IP check is only executed at the edge. For example:

sub vcl_recv {
  # block any requests to Admin pages not from local IPs
  if (req.url ~ "^/admin" && client.ip !~ local && !req.http.Fastly-FF){
    error 403 "Forbidden";
  }
}

The client.ip provides the source address connecting to Fastly. In the case of Origin Shielding, that address gets overwritten as one Fastly POP connects to another. The Fastly-FF header in the above example ensures this code is not executed on the shield server because it gets added by the edge node.

You can create different behaviors based on any other attributes from a request as well, such as location and cookie presence.


Additional resources:


Translations available [JA] 日本語