Performing a Conditional GET for Cache Hits


I’d like to configure Fastly to perform a conditional GET to our origin for every cache-hit to validate a portion of the URL which is not in the Fastly cache-key.

We’re using signed URLs that must be validated at our origin. Two URLs for the same content might generate the same Fastly cache-key but have different signatures. I’ve written the VCL to construct the Fastly cache-key from the decoded signature in the URL.

So, for cache-hits Fastly should perform a conditional GET that essentially just validate the signed URL at the origin and responds with an HTTP 304 if the signature is valid; if the signature is invalid (expired, tampered with, etc) then an HTTP 401 is returned, but does not purge the cache-key from Fastly.

Is this possible with VCL?