Set up a purge ACL


#1

How do I set up an access control list so that only people in my office network can purge files on Fastly?


Intro to using curl with Fastly
#2

First of all you define the ACL:

acl office {
    "203.0.113.0"/24; /* if you're lucky enough to have a whole /24 assigned */
    "198.51.100.0";   /* if your whole office is just behind a single NAT IP */
}

Then in vcl_recv you put:

    if (req.request == "FASTLYPURGE" /* check that the request is a purge */
        && !(client.ip ~ office)) {  /* and that the requesting IP is not within the ACL */
        error 403 "Access Denied";
    }

The reason to not just do an else with return(lookup) is that there might be changes to the request made in vcl_recv further down, and if you skip those the purge will fail.