Custom VCL for allowing requests
You can use a Fastly Edge ACL list with a custom VCL code snippet to filter incoming requests and allow access by IP address. The ACL list specifies the IP addresses to allow.
Create an allowlist to limit access to your Staging environment so that only requests from specified IP addresses for internal developers and approved external services are permitted. You can also create an allowlist to secure access to the Admin on Staging and Production environments.
The following example shows how to use a custom VCL snippet with a Fastly Access Control List (ACL) to secure access to the Admin for an Adobe Commerce on cloud infrastructure project environment. When you add the custom VCL snippet to the Cloud environment, Fastly allows only requests from IP addresses included in the ACL.
Prerequisites:
-
Your environment must be configured to use the Fastly CDN. See Configure Fastly services.
-
Ensure that you are running the latest version of the Fastly CDN module for Magento 2. See Upgrade the Fastly Module.
-
Verify the environment configuration for the Fastly service. See Check Fastly caching.
-
You must have Admin credentials to access the Staging and Production environments.
-
List of client IP addresses to include on the allowlist
Create Edge ACL for allowing client IP addresses
Edge ACLs create IP address lists for managing access to your site. In this example, you create an Edge ACL and add the list of client IP addresses allowed to access the Admin for your project environment.
-
Log in to the Admin.
-
Click Stores > Settings > Configuration > Advanced > System.
-
Expand Full Page Cache > Fastly Configuration > Edge ACL.
-
Create the ACL container:
-
Click Add ACL.
-
On the ACL Container page, enter an ACL name—
allowlist
. -
Select Activate after the change to deploy your changes to the version of the Fastly service configuration that you are editing.
-
Click Upload to attach the ACL to your Fastly service configuration.
-
-
Add the list of IP addresses allowed to access the Admin:
-
Click the Settings icon for the
allowlist
ACL. -
Add and save the IP Value for each client IP address.
-
Click Cancel to return to the system configuration page.
-
-
Click Save Config.
-
Refresh the cache according to the notification at the top of the page.
Create the custom VCL snippet to secure Admin access
The following custom VCL snippet code (JSON format) shows the logic to filter requests to the Admin and allow access if the client IP address matches an address in the allowlist
ACL.
{
"name": "allowlist",
"dynamic": "0",
"type": "recv",
"priority": "5",
"content": "if ((req.url ~ \"^/admin\") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 \"Forbidden\"; }"
}
Before creating a custom snippet from this example, review the values to determine whether you need to make any changes. Then enter each value into the respective fields, such as type
into the Type field, content
into the Content field.
-
name
— Name for the VCL snippet. For this example,allowlist
. -
priority
— Determines when the VCL snippet runs. The priority is5
to immediately run and check whether an Admin requests are coming from an allowed IP address. The snippet runs before any of the default Magento VCL snippets (magentomodule_*
) assigned a priority of 50. Set the priority for each custom snippet higher or lower than 50 depending on when you want your snippet to run. Snippets with lower priority numbers run first. -
type
— Specifies a location to insert the snippet in the versioned VCL code. This VCL is arecv
snippet type which adds the snippet code to thevcl_recv
subroutine below the default Fastly VCL code and above any objects. -
content
— The snippet of VCL code to run. In this example, the code filters requests to the Admin and allows access if the client IP address matches an address in theallowlist
ACL. If the address does not match, the request is blocked with a403 Forbidden
error.If the URL for your Admin was changed, replace the sample value
/admin
with the URL for your environment. For example,/company-admin
.
In the code sample, the condition !req.http.Fastly-FF
is important when using Origin Shielding. Do not remove or edit this code.
After reviewing and updating the code for your environment, use either of the following methods to add the custom VCL snippet to your Fastly service configuration:
-
Add the custom VCL snippet from the Admin. This method is recommended if you can access the Admin. (Requires Fastly CDN module for Magento 2 version 1.2.58 or later.)
-
Save the JSON code example to a file (for example,
allowlist.json
) and upload it using the Fastly API. Use this method if you cannot access the Admin.
Add the custom VCL snippet
-
Log in to the Admin.
-
Click Stores > Settings > Configuration > Advanced > System.
-
Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.
-
Click Create Custom Snippet.
-
Add the VCL snippet values:
-
Name —
allowlist
-
Type —
recv
-
Priority —
5
-
Add the VCL snippet content:
code language-conf if ((req.url ~ "^/admin") && !(client.ip ~ allowlist) && !req.http.Fastly-FF) { error 403 "Forbidden";}
-
-
Click Create to generate the VCL snippet file with the name pattern
type_priority_name.vcl
, for examplerecv_5_allowlist.vcl
-
After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section to add the file to the Fastly service configuration.
-
After the upload completes, refresh the cache according to the notification at the top of the page.
Fastly validates the updated version of the VCL code during the upload process. If the validation fails, edit the custom VCL snippet to fix the issue. Then, upload the VCL again.
Modify the custom VCL snippet
-
Log in to the Admin.
-
Click Stores > Settings > Configuration > Advanced > System.
-
Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.
-
In the Action column, click the settings icon next to the snippet to edit.
-
After the page reloads, click Upload VCL to Fastly in the Fastly Configuration section.
-
After the upload completes, refresh the cache according to the notification at the top of the page.
Delete the custom VCL snippet
-
Log in to the Admin.
-
Click Stores > Settings > Configuration > Advanced > System.
-
Expand Full Page Cache > Fastly Configuration > Custom VCL Snippets.
-
In the Action column, click the trash icon next to the snippet to delete.
-
On the next modal window, click DELETE and activate a new version.