TLS exception for specific asset



We are encountering an issue where podcast mp3 requests are encountering an ssl protocol error for certain users who are using outdated podcast players. To alleviate this issue, I would like to allow non-ssl requests for these podcast mp3 resources through Fastly. All other requests should still fall back to TLS.

How would I go about writing a VCL snippet to allow this behavior? I see this line in vcl_recv is forcing the TLS connection:

if (!req.http.Fastly-SSL) {
     error 801 "Force SSL";

which redirects to vcl_error

if (obj.status == 801) {
     set obj.status = 301;
     set obj.response = "Moved Permanently";
     set obj.http.Location = "https://" req.url;
     synthetic {""};
     return (deliver);

Would it be as simple as creating another condition in vcl_recv that checks for the mp3 extension and then fetches from origin? Any suggestions would be appreciated.



A simpler method might be to add the check for the mp3 extension to the condition such as:

if (!req.http.Fastly-SSL && !req.url.ext ~ “mp3”) {
error 801 “Force SSL”;

As a safety though, you should probably create a new pair of snippets to capture requests for the mp3 objects that come in via TLS already and redirect them back to http. Essentially the inverse of what we have here.