Home Explore Help
Sign In
mastodon
/
terraform-fastly-service
mirror of https://github.com/mastodon/terraform-fastly-service
Watch 2
Star 0
Fork 0
Files Issues 0 Wiki
Tree: 6f87dffd0e
Branches Tags
terraform-fa...
/
vcl
/
sigsci_config.vcl

sigsci_config.vcl 2.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. backend F_sigsci_waf {
    2. 

  2. 	.always_use_host_header = true;
    3. 

  3. 	.between_bytes_timeout = 60s; # real timeouts are in waf
    4. 

  4. 	.connect_timeout = 1s;
    5. 

  5. 	.dynamic = true;
    6. 

  6. 	.first_byte_timeout = 600s; # real timeouts are in waf
    7. 

  7. 	.host = "${host}";
    8. 

  8. 	.host_header = "${host}";
    9. 

  9. 	.max_connections = 200;
    10. 

  10. 	.port = "443";
    11. 

  11. 	.share_key = "${shared_key}";
    12. 

  12. 	.ssl = true;
    13. 

  13. 	.ssl_cert_hostname = "${host}";
    14. 

  14. 	.ssl_check_cert = always;
    15. 

  15. 	.ssl_sni_hostname = "${host}";
    16. 

  16. 	.probe = {
    17. 

  17. 		.dummy = false; # this is a real healthcheck for fail open
    18. 

  18. 		.initial = 1;
    19. 

  19. 		.interval = 12s;
    20. 

  20. 		.request = "HEAD / HTTP/1.1" "Host: ${host}" "Connection: close" "x-sigsci-backend: health check" "x-sigsci-host: host health check";
    21. 

  21. 		.expected_response = 200;
    22. 

  22. 		.threshold = 1;
    23. 

  23. 		.timeout = 2s;
    24. 

  24. 		.window = 5;
    25. 

  25. 	}
    26. 

  26. }
    27. 

  27. 

  28. sub edge_security {
    29. 

  29. 	if (!req.backend.is_origin) {
    30. 

  30. 		return;
    31. 

  31. 	}
    32. 

  32. 

  33. 	if (!backend.F_sigsci_waf.healthy) {
    34. 

  34. 		set bereq.http.x-sigsci-no-inspection = "unhealthy_waf";
    35. 

  35. 	}
    36. 

  36. 	
    37. 

  37. 	# if the Enabled key is absent then default to Enabled=0%
    38. 

  38. 	if (bereq.http.x-sigsci-no-inspection || !randombool(std.atoi(table.lookup(Edge_Security, "Enabled", "0")), 100)) {
    39. 

  39. 		unset bereq.http.x-sigsci-no-inspection;
    40. 

  40. 		unset bereq.http.x-sigsci-requestid;
    41. 

  41. 		unset bereq.http.x-sigsci-tlscipher;
    42. 

  42. 		unset bereq.http.x-sigsci-tlsprotocol;
    43. 

  43. 		unset bereq.http.x-sigsci-bot-data;
    44. 

  44. 		return;
    45. 

  45. 	}
    46. 

  46. 

  47. 	if (!waf.executed) {
    48. 

  48. 		set bereq.http.x-sigsci-backend = regsub(req.backend, "^[a-zA-Z0-9]+--(?:F_)?", "");
    49. 

  49. 		set bereq.http.x-sigsci-host = bereq.http.host;
    50. 

  50. 		set bereq.http.x-sigsci-scheme = req.protocol;
    51. 

  51. 		if (!bereq.http.x-sigsci-ip-address) {
    52. 

  52. 			set bereq.http.x-sigsci-ip-address = req.http.fastly-client-ip;
    53. 

  53. 		}
    54. 

  54. 		set bereq.http.x-sigsci-protocol = req.proto;
    55. 

  55. 		set bereq.http.x-sigsci-serviceid = req.service_id;
    56. 

  56. 		set bereq.http.x-sigsci-edgemodule = "vcl 1.11.1";
    57. 

  57. 		set req.backend = F_sigsci_waf;
    58. 

  58. 		set waf.executed = true;
    59. 

  59. 	}
    60. 

  60. }
    61. 

  61. 

  62. sub vcl_recv {
    63. 

  63. 	if (req.restarts == 0) {
    64. 

  64. 		if (fastly.ff.visits_this_service == 0) {
    65. 

  65. 			set req.http.fastly-client-ip = client.ip;
    66. 

  66. 			set req.http.x-sigsci-tlscipher = tls.client.cipher;
    67. 

  67. 			set req.http.x-sigsci-tlsprotocol = tls.client.protocol;
    68. 

  68. 			set req.http.x-sigsci-bot-data = {"{"}
    69. 

  69. 				{""a":"} client.as.number {","}
    70. 

  70. 				{""c":""} tls.client.ciphers_list {"","}
    71. 

  71. 				{""e":""} tls.client.tlsexts_list {"","}
    72. 

  72. 				{""h":""} fastly_info.h2.fingerprint {"","}
    73. 

  73. 				{""j":""} tls.client.ja3_md5 {"""}
    74. 

  74. 			{"}"};
    75. 

  75. 		}
    76. 

  76. 

  77. 		unset req.http.x-sigsci-ip-address;
    78. 

  78. 		unset req.http.x-sigsci-no-inspection;
    79. 

  79. 

  80. 		set req.http.x-sigsci-requestid = uuid.version4();
    81. 

  81. 	}
    82. 

  82. }
    83. 

  83.