Custom VCL for allowing requests

You can use the a Fastly Edge ACL list in combination with custom VCL code snippet to filter incoming requests and allow access by IP address. The ACL list specifies the IP addresses to allow.

Create an allow list to limit access to your Staging environment so that only requests from specified IP addresses for internal developers and approved external services are permitted. You can also create an allow list to secure access to the Magento Admin UI on Staging and Production environments.

The following example shows how to use a custom VCL snippet with a Fastly Access Control List (ACL) to secure access to the Magento Admin UI for a Magento Commerce Cloud project environment. When you add the custom VCL snippet to the Cloud enviroment, Fastly allows only requests from IP addresses included in the ACL.

For Staging and Integration environments that should not be publicly accessible, you can use the HTTP access control option available in the Magento Cloud Project UI to manage access to the entire site by IP address.

Prerequisites:

• Ensure that you are running the latest version of the Fastly CDN module for Magento 2. See Upgrade the Fastly Module.

• Verify the environment configuration for the Fastly service. See Check Fastly caching.

• You must have Admin credentials to access the Magento Cloud Staging and Production environments.

• List of client IP addresses to include on the allow list

Create Edge ACL for allowing client IPs

Edge ACLs create IP address lists for managing access to your site. In this example, you create an Edge ACL and add the list of client IP addresses allowed to access the Magento Admin UI for your project environment.

1. Log in to the Magento Admin UI.

2. Click Stores > Settings > Configuration > Advanced > System.

3. Expand Full Page Cache > Fastly Configuration > ACL.

4. Create the ACL container:

   • Click Add ACL.

   • On the ACL Container page, enter a ACL name—allowlist.

   • Select Activate after the change to deploy your changes to the version of the Fastly service configuration that you are editing.

   • Click Upload to attach the ACL to your Fastly service configuration.

5. Add the list of IP addresses allowed to access the Magento Admin UI:

   • Click the Settings icon for the allowlist ACL.

   • Add and save the IP Value for each client IP address.

   • Click Cancel to return to the system configuration page.

6. Click Save Config.

7. Refresh the cache according to the notification at the top of the page.

Create the custom VCL snippet to secure Magento Admin UI access

The following custom VCL snippet code (JSON format) shows the logic to filter requests to the Magento Admin UI and allow access if the client IP address matches an address in the allowlist ACL.

1
2
3
4
5
6
7
{
  "name": "allowlist",
  "dynamic": "0",
  "type": "recv",
  "priority": "5",
  "content": "if ((req.url ~ \"^/admin\") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 \"Forbidden\"; }"
}

Before creating your own snippet from this example, review the values to determine whether you need to make any changes:

• name — Name for the VCL snippet. For this example, allowlist.

• priority — Determines when the VCL snippet runs. The priority is 5 to immediately run and check whether a Magento Admin UI requests are coming from an allowed IP address. The snippet runs before any of the default Magento VCL snippets (magentomodule_*) assigned a priority of 50. You must set the priority for each custom snippet higher or lower than 50 depending on when you want your snippet to run. Snippets with lower priority numbers run first.

• type — Specifies a location to insert the snippet in the versioned VCL code. This VCL is a recv snippet type which adds the snippet code to the vcl_recv subroutine below the default Fastly VCL code and above any objects.

• content — The snippet of VCL code to run. In this example, the code filters requests to the Magento Admin UI and allows access if the client IP address matches an address in the allowlist ACL. If the address does not match, the request is blocked with a 403 Forbidden error.

  If the URL for your Magento Admin UI was changed, replace the sample value /admin with the URL for your environment. For example, /company-admin.

In the code sample, the condition !req.http.Fastly-FF is important when using Origin Shielding. Do not remove or edit this code.

After reviewing and updating the code for your environment, use either of the following methods to add the custom VCL snippet to your Fastly service configuration:

• Add the custom VCL snippet from the Magento Admin. This method is recommended if you can access the Magento Admin UI. (Requires Fastly CDN module for Magento 2 version 1.2.58 or later.)

• Save the JSON code example to a file (for example, allowlist.json) and upload it using the Fastly API. Use this method if you cannot access the Magento Admin UI.

Add the custom VCL snippet

1. Log in to the Magento Admin UI.

2. Click Stores > Settings > Configuration > Advanced > System.

3. Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.

4. Click Create Custom Snippet.

5. Add the VCL snippet values:

   • Name — allowlist

   • Type — recv

   • Priority — 5

   • Add the VCL snippet content:

     1
     if ((req.url ~ "^/admin") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 "Forbidden"; }
     

6. Click Create to generate the VCL snippet file with the name pattern type_priority_name.vcl, for example recv_5_allowlist.vcl

7. After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section to add the file to the Fastly service configuration.

8. After the upload completes, refresh the cache according to the notification at the top of the page.

Fastly validates the updated version of the VCL code during the upload process. If the validation fails, edit the custom VCL snippet to fix the issue. Then, upload the VCL again.

Modify the custom VCL snippet

1. Log in to the Magento Admin UI.

2. Click Stores > Settings > Configuration > Advanced > System.

3. Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.

   

4. In the Action column, click the settings icon next to the snippet to edit.

5. After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section.

6. After the upload completes, refresh the cache according to the notification at the top of the page.

The Custom VCL snippets UI option shows only the snippets added through the Admin UI. You must use the Fastly API to manage custom snippets added through the API.

Delete the custom VCL snippet

You can delete custom VCL snippet code from your Fastly configuration by uploading an empty version of the snippet from the Magento Admin UI, or delete it completely using the Fastly API.

• Upload an empty version of the snippet file to Fastly to remove the VCL logic from the active VCL version:

  • Edit the snippet and delete the VCL snippet content.
  • Save the configuration.
  • Upload the VCL to Fastly to apply your changes.

• Use the Fastly API Delete custom VCL snippet operation to delete the snippet completely, or submit a Magento support ticket to request deletion.

Instead of manually uploading custom VCL snippets, you can add snippets to the $MAGENTO_CLOUD_APP_DIR/var/vcl_snippets_custom directory in your environment. Snippets in this directory upload automatically when you click upload VCL to Fastly in the Magento Admin UI. See Automated custom VCL snippets deployment in the Fastly CDN for Magento 2 module documentation.