style

content

Fastly Setup

The following screenshots illustrate how to configure Fastly to deliver content. Essential settings are marked with a red circle.

https://main--helix-website--adobe.aem.page/docs/setup-byo-cdn-push-invalidation-for-fastly

Create a Fastly service

Go to the Fastly Management UI and select Create Service, CDN.

Add Domain

Add your production domain (e.g. www.mydomain.com):

Configure Origin

Add your origin (e.g. main--mysite--hlxsites.aem.live) and keep the default settings for:

Override default host
Default compression
Force TLS & HSTS

In the new configuration, click "Edit configuration" in the top right corner and "clone version 1 to edit".

In the sidebar, select "Hosts" underneath "Origins" and click the pencil icon to change host settings.

Scroll down and change Shielding to Ashburn Metro (IAD) (non-mandatory but recommended setting):

Don't forget to "update".

Create VCL Snippets

Create a VCL snippet for the recv subroutine with the following VCL code:

if (fastly.ff.visits_this_service == 0) {
  # edge delivery node
  if (req.url.qs != "") {
    # remember query string
    set req.http.X-QS = req.url.qs;

    if (req.url.path !~ "/media_[0-9a-f]{40,}[/a-zA-Z0-9_-]*\.[0-9a-z]+$" 
      && req.url.ext !~ "(?i)^(gif|png|jpe?g|webp)$"
      && req.url.ext != "json"
      && req.url.path != "/.auth") {
      # strip query string from request url
      set req.url = req.url.path;
    }
  }
}

Create additional VCL snippets for the miss and pass subroutines with the following VCL code:

set bereq.http.X-BYO-CDN-Type = "fastly";
set bereq.http.X-Push-Invalidation = "enabled";

Note: The X-Push-Invalidation: enabled request header enables the push invalidation including long cache TTLs.

Create a deliver snippet with the following VCL code:

if (fastly.ff.visits_this_service == 0) {
  # on edge delivery node
  if (
    http_status_matches(resp.status, "301,302,303,307,308")
    && req.http.X-QS
    && resp.http.location
    && resp.http.location !~ "\?.*\z"
  ) {
    # preserve request query string in redirect location
    set resp.http.location = resp.http.location "?" req.http.X-QS;
  }
}

Finally create a deliver snippet with the following VCL code:

unset resp.http.Age;

if (req.url.path !~ "\.plain\.html$") {
  unset resp.http.X-Robots-Tag;
}

After completing all steps and activating the service version you should be all set:

Optional: Authenticate Origin Requests

If you have enabled token-based Site Authentication, navigate in the sidebar to Content → Headers, then "create a header" with following settings:

Name: Origin Authentication
Type: Request/Set
Destination: http.Authorization
Source: "token <your-token-here>" (don't forget the quotes, and replace <your-token-here> with the site token retrieved in token-based Site Authentication – the token starts with hlx_)
Ignore if set: no
Priority: 10

Note

Your Fastly setup should not use Fastly’s Next Generation Web Application Firewall for requests that are going against aem.live or any other Edge Delivery Services origin. Enabling WAF with Edge Delivery Services can lead to erroneous content being delivered.

Edge Delivery Services needs no Web Application Firewall, as it is running on hardened, shared, and ultra-scalable infrastructure. Requests that a WAF would typically intercept are terminated in our CDNs.