|
1 | 1 | # vcl_init |
2 | 2 |
|
3 | | -backend F_dummy_origin { |
| 3 | +# noop backend is used so that the NGWAF may quickly inspect requests that are cache HIT. |
| 4 | +backend F_noop_origin { |
4 | 5 | .between_bytes_timeout = 10s; |
5 | 6 | .connect_timeout = 1s; |
6 | 7 | .first_byte_timeout = 1s; |
7 | 8 | .host = "127.0.0.1"; |
8 | 9 | .max_connections = 200; |
9 | | - .port = "80"; |
| 10 | + .port = "443"; |
| 11 | + .ssl = true; |
| 12 | + .max_tls_version = "1.3"; |
| 13 | + .min_tls_version = "1.3"; |
| 14 | + .ssl_cert_hostname = "127.0.0.1"; |
| 15 | + .ssl_check_cert = always; |
| 16 | + .ssl_sni_hostname = "127.0.0.1"; |
10 | 17 | } |
11 | 18 |
|
| 19 | +# force cluster for all requests and on restarts. https://www.fastly.com/documentation/guides/vcl/clustering/#enabling-and-disabling-clustering |
12 | 20 | sub vcl_recv { |
13 | 21 | set req.http.Fastly-Force-Shield = "1"; |
14 | 22 | } |
15 | 23 |
|
| 24 | +# On cache hit, send the request to NGWAF |
16 | 25 | sub vcl_hit { |
17 | | - if (req.restarts < 1) { |
18 | | - set req.http.is-hit = "true"; |
| 26 | + if (req.restarts < 1 |
| 27 | + && !req.http.X-SigSci-No-Inspection) { |
| 28 | + # Exclude static files from cache HIT NGWAF inspection |
| 29 | + if (!(req.url.ext ~ "(?i)^(js|css|tff|woff|ico|png|jpg|jpeg)$")) { |
| 30 | + set req.http.X-SigSci-Cached-Inspect = "HIT"; |
19 | 31 | return(pass); |
| 32 | + } |
20 | 33 | } |
21 | 34 | } |
22 | 35 |
|
| 36 | +# When there is a cache HIT, set the noop backend origin. |
23 | 37 | sub vcl_pass { |
24 | | - if (req.http.is-hit == "true") { |
25 | | - set req.backend = F_dummy_origin; |
| 38 | + if (req.http.X-SigSci-Cached-Inspect == "HIT") { |
| 39 | + set req.backend = F_noop_origin; |
26 | 40 | } |
27 | 41 | } |
28 | 42 |
|
| 43 | +# If BLOCKED or CHALLENGED is present, then return that response to the client |
| 44 | +# If there is no action, then restart and serve content from cache |
29 | 45 | sub vcl_fetch { |
30 | | - if (req.http.is-hit == "true") { |
31 | | - if (req.restarts < 1) { |
32 | | - # unset the req header before trying to set it to prevent spoofing |
33 | | - unset req.http.ngwaf-action; |
34 | | - # If BLOCKED is not present, then do a restart |
35 | | - if (beresp.http.x-sigsci-tags ~ "BLOCKED") { |
36 | | - set req.http.ngwaf-action = "1"; |
37 | | - } |
38 | | - # If CHALLENGED is present, then do NOT restart |
39 | | - if (beresp.http.x-sigsci-tags ~ "CHALLENGED") { |
40 | | - set req.http.ngwaf-action = "1"; |
41 | | - } |
42 | | - |
43 | | - # If there is no action, then restart and serve content from cache |
44 | | - if (req.http.ngwaf-action != "1") { |
45 | | - set req.http.x-restart-reason = "ngwaf-action=none"; |
46 | | - restart; |
47 | | - } |
48 | | - } |
| 46 | + if (req.http.X-SigSci-Cached-Inspect == "HIT" |
| 47 | + && req.restarts < 1 |
| 48 | + && !(beresp.http.X-SigSci-Tags ~ "(BLOCKED|CHALLENGED)")) { |
| 49 | + set req.http.x-restart-reason = "ngwaf-action=none"; |
| 50 | + restart; |
49 | 51 | } |
50 | 52 | } |
51 | | - |
52 | | -# sub vcl_deliver { |
53 | | -# # stash response headers in request so they can be used in logging when using shielding |
54 | | -# if(fastly.ff.visits_this_service == 0){ |
55 | | -# set resp.http.sigsci-agentresponse = resp.http.x-sigsci-agentresponse; |
56 | | -# set resp.http.sigsci-decision-ms = resp.http.x-sigsci-decision-ms; |
57 | | -# set resp.http.sigsci-tags = resp.http.x-sigsci-tags; |
58 | | -# } |
59 | | -# } |
60 | | - |
0 commit comments