Upgrade to Fastly VCL v11
Before We Start
The HUMAN Fastly VCL Enforcer consists of a number of different components: VCL files, snippets, and logging endpoints. The majority of the Fastly VCL enforcer logic is housed in four VCL files that need to be uploaded to your service:
| Filename | VCL Name | Description |
|---|---|---|
| main.vcl | MAIN | Fastly's default main VCL with HUMAN logic already integrated. This file can be used as the main VCL file for Fastly services that don't have one, or as a basic example for how to integrate the HUMAN logic into an existing main VCL file. |
| px.vcl | PX | All HUMAN core logic. This file should not be customized or modified in any way. |
| px_configs.vcl | PX_CONFIGS | Contains enforcer configuration table and additional backend configs. This file can be modified based on the desired enforcer configuration. |
| px_custom.vcl | PX_CUSTOM | Contains enforcer custom code, defined custom behavior, and enforcer features. This file can be modified based on the desired enforcer configuration or desired custom logic that should be executed within the enforcer. |
Before Starting
These 3 custom VCL files will be provided to you by a HUMAN Solution Architect:
- px.vcl
- px_configs.vcl
- px_custom.vcl
To ensure that you are taking advantage of the latest features, several configurations and deploy changes need to be made in order to upgrade your Fastly VCL Enforcer to version 11. This document serves as a comprehensive guide to the changes that must be made.
1. Add Async Activities and Telemetry logging endpoints.
This change is required if upgrading from version <9.x.
Instead of using a Syslog log streaming endpoint, we've changed our async activities and telemetry logs to use Fastly's HTTP logging endpoint.
This change requires removing the older PX-Syslog logging endpoint and configuring two new logging endpoints instead. For more information about Fastly log streaming, see here.
Delete the PX-Syslog Logging Endpoint
- In your Fastly service, go to "Logging" tab.
- Delete the TCP logging endpoint named PX-Syslog.
Add the Async Activities Logging Endpoint
-
On your Fastly service, go to "Logging" tab
-
Add a new Logging endpoint with the information below:
- Name: PX-Async-Activities
- URL:
https://collector-<px_app_id>.perimeterx.net/api/v1/collector/s2s - Placement: none
- Maximum bytes: 500000
- Advanced options:
- Content type - application/json
- JSON log entry format - Array of JSON
- All other fields: No change is needed, use the default values.
Add the Telemetry Logging Endpoint
-
On your Fastly service, go to "Logging" tab
-
Use the following settings to define a new additional logger:
- Name: PX-Telemetry
- URL:
https://collector-<px_app_id>.perimeterx.net/api/v2/risk/telemetry - Placement: none
- Maximum Logs: 1
- Advanced options
- Content type - application/json
- All other fields: No change is needed, use the default values.
2. Validate the px_configs configuration table in the PX_CONFIGS VCL file.
Several configuration options were deprecated in Fastly VCL v10. If one or more configurations in the list below are present in the px_configs table of the PX_CONFIGS VCL file, please modify them accordingly.
| Configuration Name | Change | Notes |
|---|---|---|
px_module_mode | Configuration options have been changed. | The "async_monitor" value is no longer available. The "monitor" value should be used instead. |
px_block_all_size_exceeded_post_requests | Configuration has been removed. | POST requests with bodies larger than 8 KB will go through normal processing. |
px_block_size_exceeded_post_requests_by_size | Configuration has been removed. | POST requests with bodies larger than 8 KB will go through normal processing. |
px_enable_error_logs | Configuration has been removed. | Rather than checking this configuration, the enforcer checks the if the px_logger_severity configuration is set to "error". |
px_enable_redirect_xhr | Configuration has been removed. | First party XHR routes should be treated like all other First Party routes. Instead of XHR routes having their own individual setting, they now depend on the px_first_party_enabled configuration option. |
px_send_page_activities | Configuration has been removed. | Asynchronous activities should always be sent and should not be turned off. |
px_enable_access_control_header | Configuration has been removed. | See the changes to the px_custom_access_control_header custom subroutine. |
px_csp_enabled | Configuration has been removed. | The CSP feature has been removed. |
px_bypass_monitor_header | Configuration default value has changed. | The default value has changed from an empty string to "x-px-block". |
3. Validate the subroutines and tables in the PX_CUSTOM VCL file.
How to change the PX_CUSTOM file?
- Make a copy of your PX_CUSTOM VCL file on your local computer (for safekeeping).
- Upload the new v11 PX_CUSTOM VCL file to your Fastly service.
- One by one, compare each custom subroutine in your old PX_CUSTOM VCL with the new subroutine. Transfer the previously existing implementation to the new PX_CUSTOM VCL file, modifying it as needed. All desired logic should remain the same (pay special attention to conditionals and regular expressions!); most if not all the changes will likely be related to header names and return values. See the table below for details about specific subroutines.
| Custom Subroutine Name | Change | Notes |
|---|---|---|
px_custom_check_block_post_url | Subroutine has been removed. | This subroutine was not invoked in previous versions and had no effect. |
px_custom_check_block_by_size | Subroutine has been removed. | This subroutine was not invoked in previous versions and had no effect. |
px_custom_check_enabled_route | Subroutine has been removed. | This logic can be implemented in your MAIN VCL as desired. |
px_custom_redirect | Subroutine has been removed. | This logic can be implemented in your MAIN VCL as desired. |
px_custom_data_enrichment_handler | Subroutine has been removed. | This logic can be implemented in your MAIN VCL as desired. |
px_custom_captcha_handler | Subroutine has been removed. | Use the px_custom_block_handler custom subroutine instead. |
px_custom_access_control_header | Subroutine has been removed. | Use the px_custom_cors_set_custom_block_response_headers custom subroutine instead. |
px_custom_create_block_page | Subroutine has been renamed. | The new subroutine is named px_custom_block_page_content. |
px_custom_create_synthetic_mobile_response | Subroutine has been removed. | Mobile block response structures should not be modified as this will interfere with the Mobile SDK's functionality. If this is problematic for your setup, please reach out to your HUMAN Solution Architect. |
px_custom_create_synthetic_web_response | Subroutine has been renamed. | The new subroutine is named px_custom_web_block_page_response. |
px_custom_block_handler | Subroutine has been removed. | Use the px_custom_web_block_page_response custom subroutine instead. |
px_custom_post_block_handler | Subroutine has been removed. | This subroutine was not invoked in previous versions and had no effect. |
px_custom_is_login_request | Subroutine has been changed. | This subroutine now returns a string value instead of setting the req.http.login-set header. |
px_custom_login_extraction_callback | Subroutine has been changed | The req.http.login-set header used in this subroutine has been renamed to req.http.px-creds:endpoint-index. |
px_custom_set_login_successful_response_header | Subroutine has been changed. | This subroutine now returns a string value of "0" or "1" indicating whether the login was successful instead setting the resp.http.x-px-login-successful header. |
px_custom_extract_jwt_additional_fields | Subroutine has been changed. | This subroutine now expects a string return value in format of "fieldName1":"fieldValue1","fieldName2":"fieldValue2" (without initial { and final } required for JSON syntax) rather than setting the header req.http.px-jwt:Additional-Fields. |
Some tables and dictionaries in the PX_CUSTOM VCL file have also changed. See the table below for details.
| Table Name | Change | Notes |
|---|---|---|
px_login_credentials_extraction | Table options have changed. | The use_callback key has been removed. Instead, the sent_through key can be set to "custom" to achieve the same effect. |
cs_data | Table has been removed. | The table was used previously to store the Fastly API token and the px_enforcer_config_rdata_id, which have been moved to the px_configs table instead. |
px_csp_data | Table has been removed. | The CSP feature has been removed. |
px_enforcer_config_rdata | Table has been changed to dictionary. | The table is no longer present in the PX_CUSTOM VCL file and must always be added to the Fastly service as a dictionary. |
If upgrading from 9.x and earlier...
As part of an effort to reduce HUMAN's Fastly VCL workspace footprint, many custom subroutines in the PX_CUSTOM VCL file have been changed to return boolean values instead of setting headers.
Please pay special attention to these custom subroutines:
- px_custom_check_sensitive_route
- px_custom_check_sensitive_graphql_operation
- px_custom_filter_by_http_method
- px_custom_filter_by_user_agent
- px_custom_filter_by_route
- px_custom_filter_by_extension
- px_custom_filter_by_ip
- px_custom_enforced_routes
- px_custom_monitored_routes
- px_custom_check_enabled_route
Example
We've adjusted
px_custom_check_sensitive_routesubroutine to return a boolean value instead of setting a header.Here is the previous implementation of this subroutine:
# implementation in v9.x and below sub px_custom_check_sensitive_route { if (req.url.path ~ {"<sensitive_routes>"}) { set req.http.X-PX-sensitive-route = "1"; } }Compare this with the newer implementation of the subroutine:
# implementation in v11 sub px_custom_check_sensitive_route BOOL { if (req.url.path ~ {"<sensitive_routes>"}) { return true; } return false; }The regular expression in the condition (i.e.,
<sensitive_routes>) should stay the same for both implementations. The difference is that instead of setting theX-PX-sensitive-routeheader, we can simplyreturn true.
4. Remove references to X-PX-* headers.
In version 9.x and earlier, HUMAN used headers beginning with x-px-* to store information during the duration of the Fastly request life cycle. These headers have been renamed in version 11 and will no longer be present on the request. Any references to these headers in your Fastly VCL code should be removed.
If you have logic in your Fastly VCL files that relies on these
x-px-*headers, please reach out to your HUMAN Solution Architect or Customer Support for guidance on how to align this code with version 11.
5. Add remote configuration parameters and dictionaries.
Version 11 includes the new remote configuration feature. Remote configuration is a feature that lets you access and modify your Enforcer’s configuration remotely without redeploying. This also allows the HUMAN team to troubleshoot or customize your Enforcer directly. Remote configuration is required as part of your Enforcer setup.
Note
HUMAN will never change your Enforcer configuration without your permission. You can learn more about remote configurations with our help article.
- Please refer to the instructions here for how to add the new remote configuration fields to your PX_CONFIGS VCL file.
- Please refer to the instructions here for how to add in the required dictionaries to your Fastly VCL service.
Updated 12 days ago