Fastly can be used as a Content Delivery Network in front of your Platform.sh project. Everyone can opt for your own Fastly CDN (or any other) or utilize the managed Fastly CDN provided by Platform.sh (for Elite and Enterprise customers). This article will details the setup of your own Fastly subscription
Requirements
- An up-and-running Platform.sh project
- A Fastly CDN subscription
Set up your Fastly CDN
On the Fastly side: refer to Fastly official documentation on how to get started
- Decide on a custom domain will be used to access your project with Fastly in front of it
- In Fastly have the custom domain point to your project's target URL with a
CNAME
record
- Find your project's target URL value
-
Via the Web Console
-
Navigate to your project
- Click Settings
- Under Project settings, click Domains
-
- Via the CLI
platform environment:info edge_hostname
-
- Find your project's target URL value
- Add the domain to Platform
-
Via the Web Console
-
Navigate to your project
- Click Settings
- Under Project settings, click Domains
- Click "Add" button
-
- Via the CLI
platform domain:add YOUR_DOMAIN
-
- Visit the custom domain in your browser to verify that it is all set up correctly
Handling apex domains
Since CNAME
records can’t point to apex domains, Fastly offers Anycast options
Tips
Avoid double-caching
To avoid stale content that can’t be cleared, avoid using Fastly with HTTP caching.
For routes where Fastly is used, disable HTTP caching using the following configuration:
.platform/routes.yaml
https://{default}/:
type: upstream
...
cache:
enabled: false
Ownership verification
To allow our Let's Encrypt TLS-certificate provisioning works for your domain, ensure that
- The domains point to your CDN
- The
_acme-challenge.
subdomain, as in_acme-challenge.example.com
, points to your CDN - The
/.well-known/
route, as inhttps://www.example.com/.well-known/
, is accessible with no redirects
If you don’t follow those requirements, you get an error message similar to:
W: Failed to verify the challenge at the gateway for the domain 'www.example.com'
E: Error validating domain www.example.com: Couldn't complete challenge [HTTP01: The client lacks sufficient authorization]
Protect your site from on-path attacks
An on-path attack occurs when a hacker intercepts or modifies the communication between a client and a server. This can lead to sensitive data leaks. To prevent such attacks, make sure all communication with your site is encrypted through HTTPS and can’t be downgraded to HTTP.
To do so, enable HTTP strict transport security (HSTS). HSTS forces clients to always communicate with your site over HTTPS.
You can enable HSTS in your Fastly account. All HTTP requests are then automatically redirected to HTTPS.
Managed Fastly CDN
- Dedicated projects include a managed Fastly CDN by default
- To add a managed Fastly CDN to your project, contact sales
- To modify any settings for a managed Fastly CDN, open a support ticket
Futher references
- Content delivery networks (CDNs): for more information regarding CDNs setups
- Managed Fastly CDN: for details on Managed Fastly CDN