Fastly Installation

Enable PerimeterX Support with Fastly

The PerimeterX Fastly Enforcer requires advanced functionality from Fastly. This must be enabled by the Fastly support team before the Enforcer can be activated.

To enable the advanced Fastly functionality, e-mail [email protected] as follows:

  • Subject: “Please enable PerimeterX support for our Fastly service ID
  • Body: Hi Fastly Support, Please enable PerimeterX support for our service ID and confirm when it is completed.

You must request to enable functionality for each service ID that is being protected by PerimeterX.

Customize the PerimeterX VCL

Your current VCL must be reviewed by a PerimeterX Solution Architect. Contact your PerimeterX Solution Architect or PerimeterX Support for more information.

Setting the Binary Block Result Cookie

In order to use Fastly integration, a binary block result cookie must be defined in the PerimeterX Portal:

  1. Go to Admin > Policies, and select the policy.
  2. In the Risk Cookie tab, select Advanced Mode, and click Continue in the pop-up.
  3. Select the Cookie Version (V2), set the Binary Score/Threshold Score (100), and the Validity as appropriate.
  4. Click Apply.
33603360

Logging

To define a syslog, follow the instructions in the Fastly Syslog documentation

  • PX-Syslog - To send important Syslogs to PerimeterX syslog servers the PX-Syslog must be defined. If you name the syslog PX-Syslog you do not need to change PX_SYSLOG_NAME on in the configuration table.

    • Name: PX-Syslog
    • Address: px-fst-syslog.perimeterx.net : 6514
    • Use TLS: Yes
    • All other fields: No change is needed, use the default values.

Adding a Syslog

adding syslog

Once the PX-Syslog is defined, you must create a new request condition to prevent the Syslog from sending every request automatically. To do this, the request condition must be defined as neverTrue:

  1. Click Attach a condition next to PX-Syslog.
  2. Click Create a New Response Condition.
  3. Name the condition NeverTrue
  4. Apply if... req.url == "neverTrue"
  5. Under Advanced option, set the priority to 10.

See the Fastly Conditions documentation for more details.

Adding Conditions

adding condition
  • PX-Debug - Optional debug logging endpoint. Define an endpoint to use enable_debug. If you name the syslog PX-Debug you will not need to change
    *DEBUG_SYSLOG_NAME* in the VCL configuration table.
  • PX-Error - Optional error logging endpoint. You should define and endpoint to use enable_error.
  • PX-Waf-Prefetch-Condition - Optional Disable WAF condition. This condition ensure the WAF will be disabled during PerimeterX request validation flow to avoid wrong WAF score calculation.
    The condition JSON definition is available on the Fastly VCL Enforcer code.
    condition type = PREFETCH

To define a logging endpoint - See the Fastly Logging documentaitons

Uploading the VCL files

Basic configuration changes to your VCL are require before uploading the VCL.

The PerimeterX Fastly VCL Enforcer consists of 4 VCL files which need to be uploaded to your service. Select main.vcl as the main VCL. (This will happen automatically if main.vcl is the first VCL uploaded). please note: VCL object names are case sensitive.

  • main.vcl - VCL name: "MAIN" - Default Fastly's VCL.
  • PX.vcl - VCL name: "PX" - Contains all the internal PerimeterX logic.
  • px_configs.vcl - VCL name: "PX_CONFIGS" - Contains customer logic.
  • px_custom.vcl - VCL name: "PX_CUSTOM" - Contains customer config files.

To upload the VCLs:

  1. Click Upload Your First VLC File.
  2. Name the VCL file MAIN. This ensures that main.vcl is your main VCL.
  3. Upload the corresponding VCL file.
  4. Click Create.
  5. Click +Upload a New VCL File, and repeat the process for the remaining three VCL files, naming the files according to the list above.

.. figure:: /_static/add_vcls.gif?raw=true
:alt: Adding VCLs

Merge your main.vcl with the PerimeterX `main.vcl.
PerimeterX subroutine calls must be the first call in each subroutine on MAIN vcl.

Fastly allows you to create your own VCL files with specialized configurations.

By default, the ability to upload custom VCL code is disabled when you sign up. Contact [email protected] to upload your custom VCL code.

After completing the Configuration section, upload the provided PerimeterX VCL, according to the Fastly documentation for uploading custom VCLs, including last section for multiple VCLs.

Note: You must activate your service version after every change performed to the VCL.

Error Codes

PerimeterX Enforcer uses VCL error codes. These should remain unused by other VCL applications.

Using any of the following codes in other applications may lead to unexpected behavior.

  • 991 - first_party_disabled
  • 992 - first_party_xhr_disabled
  • 995 - exceeded_rate_limit, s2s_high_score, cookie_high_score
  • 996 - cookie_high_score

Did this page help you?