If your organization uses Fastly, you can use HUMAN’s Fastly VCL Enforcer to protect against malicious behavior. The Enforcer is deployed to your content delivery network (CDN) and dictates how traffic should be handled per your organization’s standards.
You can learn how to install the Fastly VCL Enforcer with this article.
If you do not already have an Enforcer deployed to your environment, we highly recommend using the Deploy Tool method instead. See our documentation for more information.
To install the Fastly Enforcer, you first need to do the following:
Fastly needs to activate certain functionality in your service so it works with the HUMAN Enforcer. Fastly is familiar with HUMAN and its Enforcer, so you can simply send them an email to enable it.
This functionality must be manually activated by Fastly for each service you want to add the HUMAN Enforcer to, so you may need to send multiple service IDs.
\<YOUR_ID_HERE>, and confirm when it is completed.Fastly will add the following pragmas to your service:
fix_unsent_body_drain: Used to resolve an issue with HTTP response bodies not being fully sent to the client.no_body_if_bereq_is_get_or_head: Used to prevent a response body from being sent to the client if the request method is GET or HEAD.You can confirm that these pragmas were added by navigating to your service’s Service configuration > Show VCL.
After Fastly enables HUMAN support in your service, you need to contact the HUMAN team to receive the necessary VCL files and account information to complete your setup. To do so:
If you’ve already received all this information, then you can skip this section.
PX.vclPX_CONFIGS.vclPX_CUSTOM.vclpx_remote_config_idpx_remote_config_auth_tokenOnce you receive these, you’re ready to Install the Enforcer.
Once you’ve enabled HUMAN support via Fastly and acquired all the necessary information from HUMAN, you’re ready to start installing the Enforcer.
version_id in later on in Dictionary setup.The HUMAN Fastly VCL Enforcer requires you create certain dictionaries to properly compile. To create them:
px_enforcer_config_rdata. You do not need to add any key values; HUMAN will populate the dictionary for you.The following steps must be completed via Fastly’s API. For your convenience, you may also download our provided Postman Collection.
id for the px_enforcer_config_rdata, then save it for later on in the installation process. To make this call, you will need:
service_id, which you can find at the top of your Fastly service.version_id, which is the version of the service you are currently editing.px_private. Then, save its id for the next step. To make this call, you will need:
service_id, which you can find at the top of your Fastly service.version_id, which is the version of the service you are currently editing.px_fastly_api_token and with its item value as your Fastly API token.
service_id, which you can find at the top of your Fastly service.dictionary_id, which is the id of the px_private dictionary you created in Step 4.Because px_private is a private Fastly dictionary, the item key and value pair may not appear in your Fastly service GUI, even after you’ve successfully created it via API call.
Next, you’re ready to move on to Upload and edit VCL files.
The HUMAN Fastly VCL Enforcer consists of three custom VCL files that need to be uploaded to your service. These define the logic, configurations, and desired customizations for the VCL Enforcer. You can find a summary of all the files in the following table.
If you don’t have these files, see Contact HUMAN.
Each file must be uploaded to your Fastly service. Follow the respective section to learn how to upload each file.
To create the PX file in your Fastly service:
Do not make changes to the PX.vcl file
PX for the Name of the file.PX.vcl file from HUMAN.Your PX file should be created. Next, be sure to create a configs file.
To create the PX_CONFIGS file in your Fastly service:
PX_CONFIGS for the Name of the file.PX_CONFIGS.vcl file from HUMAN.PX_CONFIGS file..host value with your Application ID, as shown below.Your PX_CONFIGS file should be created. Next, see Custom file settings.
To create PX_CUSTOM in your Fastly service:
You do not need to add any custom configurations for the Enforcer to function, but we recommend you upload the px_custom.vcl file regardless so you can return to make changes later.
PX_CUSTOM for the Name of the file.PX_CUSTOM.vcl file from HUMAN.PX_CUSTOM file.Your PX_CUSTOM files should be created.
Now that you have uploaded all the files provided by HUMAN, you must now update the MAIN file settings.
There is no single entry point for VCL code. Instead, Fastly exposes a number of different subroutines that function as “hooks” during the various stages of the VCL request lifecycle. These specific subroutines such as vcl_recv or vcl_deliver must be defined in a special custom VCL file known as the MAIN file. Typically, Fastly automatically creates a MAIN file when you create a new service. To integrate the HUMAN Enforcer into the MAIN file, we must invoke the appropriate HUMAN subroutine in every VCL hook subroutine.
You will need to edit the existing MAIN file or create a new one with all the HUMAN Enforcer subroutines to your existing VCL hooks, which are listed below. While adding these subroutines, keep in mind that:
The px_recv_clustering_fixup subroutine is the only exception for the above. px_recv_clustering_fixup should be called immediately after the #FASTLY recv macro rather than before.
To update your MAIN file:
If you implemented a Fastly Edge Rate Limit (ERL) on the same Fastly Service you’re deploying the Enforcer to, it can impact HUMAN’s async activities.
vcl_recv, a 429 error is thrown before the Enforcer initializes. This means that the Enforcer will not create any activities.vcl_pass or vcl_miss, no risk_api activity will be sent and the traffic goes directly to vcl_error and vcl_deliver. Page requested activity will be generated.Next, you’re ready to move on to Logging endpoint setup.
HUMAN uses your Fastly service’s logging to keep track of the Enforcer’s performance and activity. As part of the installation process, you will create three new HTTPS endpoints:
page_requested or block, to HUMAN’s servers.HS-Log uses a logger authentication token that must be provided by HUMAN. If you do not have it, see Contact HUMAN.
To create the required logging endpoints:
https://collector-<px_app_id>.perimeterx.net/api/v1/collector/s2shttps://collector-<px_app_id>.perimeterx.net/api/v2/risk/telemetryhttps://sapi-<APP_ID>.perimeterx.net/enforcer-logs/Next, you can configure some optional settings:
Otherwise, you can move on to Wrap up.
You can also add logging endpoints that receive messages from the Enforcer about the Fastly request flow. The Enforcer can send two types of logs depending on the configured px_logger_severity: debug and error.
To receive Enforcer logs:
PX_CONFIG file.px_logger_severity to the desired logging level.PX-Debug or PX-Error depending on your desired endpoint.If you need to turn on Enforcer logs temporarily and you don’t have an existing logging endpoint where you can easily view the logs, Fastly’s online log viewer may provide a quick solution.
Next, depending on your Fastly service, you may need to configure the following:
Otherwise, you can move on to Wrap up.
The px_shield VCL snippet is required for Fastly Shielding functionality to stay enabled after a restart triggered by the Enforcer. You can learn more about Fastly’s shielding functionality with their help article.
To create px_shield:
set var.fastly_req_do_shield = (req.restarts == 0 || (req.restarts == 1 && req.http.px-tmp:internal-flow == "1"));Next, you may need to configure an Optional WAF prefetch condition. If you don’t, you can move on to Wrap up.
If you are using Fastly WAF, we recommend adding condition to your Fastly service to address a potential issue that may arise from running WAF rules multiple times. This condition will effectively prevent the duplication of WAF activations and ensure a smoother operation of the integration for customers who have enabled Fastly WAF but have not implemented the WAF prefetch condition.
This step is not applicable if using Fastly Next-Gen (Signal Sciences) WAF. If you are using Fastly Next-Gen (Signal Sciences) WAF, reach out to your HUMAN Solution Architect.
To add this condition to your service, you must use the Fastly API. The condition should be made with the following settings:
req.backend.is_origin && !req.http.bypasswafNext, you’re ready for Wrap up.
If you’ve completed your Enforcer installation, you must have the following in your Fastly service:
px_enforcer_config_rdatapx_private, with a key named px_fastly_api_tokenMAIN, which must have the necessary HUMAN subroutinesPX, which must not have any changes to itPX_CONFIGS, which must be updated with your unique valuesPX_CUSTOM, which may have custom configurations as desired for your organizationPX-Async-ActivitiesPX-TelemetryHS-LogYou may also have:
PX-DebugPX-ErrorIf you have all of these items, then you’re ready to deploy your Fastly VCL Enforcer. From your Fastly service, select Activate. This will launch the Enforcer.
Once you finish installing, be sure to contact HUMAN to complete your Tuning process.