The HUMAN Fastly VCL Enforcer consists of a number of different components: VCL files, snippets, and logging endpoints. The majority of the Fastly VCL enforcer logic is housed in four VCL files that need to be uploaded to your service:
These 3 custom VCL files will be provided to you by a HUMAN Solution Architect:
To ensure that you are taking advantage of the latest features, several configurations and deploy changes need to be made in order to upgrade your Fastly VCL Enforcer to version 11. This document serves as a comprehensive guide to the changes that must be made.
Instead of using a Syslog log streaming endpoint, we’ve changed our async activities and telemetry logs to use Fastly’s HTTP logging endpoint.
This change requires removing the older PX-Syslog logging endpoint and configuring two new logging endpoints instead. For more information about Fastly log streaming, see here.
On your Fastly service, go to “Logging” tab
Add a new Logging endpoint with the information below:
https://collector-<px_app_id>.perimeterx.net/api/v1/collector/s2sOn your Fastly service, go to “Logging” tab
Use the following settings to define a new additional logger:
https://collector-<px_app_id>.perimeterx.net/api/v2/risk/telemetrySeveral configuration options were deprecated in Fastly VCL v10. If one or more configurations in the list below are present in the px_configs table of the PX_CONFIGS VCL file, please modify them accordingly.
Some tables and dictionaries in the PX_CUSTOM VCL file have also changed. See the table below for details.
As part of an effort to reduce HUMAN’s Fastly VCL workspace footprint, many custom subroutines in the PX_CUSTOM VCL file have been changed to return boolean values instead of setting headers.
Please pay special attention to these custom subroutines:
We’ve adjusted px_custom_check_sensitive_route subroutine to return a boolean value instead of setting a header.
Here is the previous implementation of this subroutine:
Compare this with the newer implementation of the subroutine:
The regular expression in the condition (i.e., <sensitive_routes>) should stay the same for both implementations. The difference is that instead of setting the X-PX-sensitive-route header, we can simply return true.
In version 9.x and earlier, HUMAN used headers beginning with x-px-* to store information during the duration of the Fastly request life cycle. These headers have been renamed in version 11 and will no longer be present on the request. Any references to these headers in your Fastly VCL code should be removed.
x-px-* headers, please reach out to your HUMAN Solution Architect or Customer Support for guidance on how to align this code with version 11.Version 11 includes the new remote configuration feature. Remote configuration is a feature that lets you access and modify your Enforcer’s configuration remotely without redeploying. This also allows the HUMAN team to troubleshoot or customize your Enforcer directly. Remote configuration is required as part of your Enforcer setup.
HUMAN will never change your Enforcer configuration without your permission. You can learn more about remote configurations with our help article.