Performing a Conditional GET for Cache Hits


I’d like to configure Fastly to perform a conditional GET to our origin for every cache-hit to validate a portion of the URL which is not in the Fastly cache-key.

We’re using signed URLs that must be validated at our origin. Two URLs for the same content might generate the same Fastly cache-key but have different signatures. I’ve written the VCL to construct the Fastly cache-key from the decoded signature in the URL.

So, for cache-hits Fastly should perform a conditional GET that essentially just validate the signed URL at the origin and responds with an HTTP 304 if the signature is valid; if the signature is invalid (expired, tampered with, etc) then an HTTP 401 is returned, but does not purge the cache-key from Fastly.

Is this possible with VCL?


Hi Skidder,

Apologies for not getting back to you here. It’s an interesting question, you’d be changing the typical VCL flow as shown below and it’d likely be more complex than implementing the signing separately between Fastly and client then Fastly to the origin. I’d be interested in hearing more if there is a specific case use for this?

Typical flow:

Note that this would have fairly significant performance detriments as you’d be contacting the origin each time. It would seem more beneficial to move the URL signing potion to Fastly so that the verification is performant (not to mention, lessening the load on the origin). We have UUID and Cryptographic functions documented here:

Also we have some similar VCL examples here:
AWS S3 protected backend (sig v4) -
Authenticating JSON web tokens at the edge -

If you need specific support. Please send a ticket into and we’ll be happy to help further.