Utilizing a Content Delivery Network (CDN) such as Fastly can serve as an alternative to the cache provided by the Platform.sh router. Implementing a CDN may enhance the time-to-first-byte for cached content across a broader geographic area, albeit at the expense of the CDN service fees.
Enterprise and Elite customers are eligible for a Managed Fastly service.
At present, Platform.sh does not provide an integrated CDN for self-service grid projects; however, many customers opt to configure their own CDN solutions.
Fastly is a highly commendable Content Delivery Network (CDN) solution for presenting your application globally, built upon Varnish. The Fastly API and command-line interface (CLI) tools are exceptional and extensively documented. Within a mere 15 minutes, you can establish a Fastly CDN service that effectively caches your static assets and dynamic application responses for your users with remarkable efficiency.
Requirements
- An up-and-running Platform.sh project
- A Fastly CDN subscription
- Access to your DNS system
Set up your Fastly CDN
Fastly's official documentation on getting started.
1. Create a CDN service
Note: It is advisable to label the Fastly service name using your Platform.sh Project ID, particularly if you manage multiple projects hosted on Platform.sh.
Please incorporate your custom domain and the backend host as the origin for your new Fastly CDN service.
The origin will be the CNAME record located in the domain settings page of your Platform.sh projects, or it can be retrieved from the Platform.sh CLI by executing the following.
platform environment:info edge_hostname
Fastly suggests setting up shielding for your service. Be sure to implement it.
2. Finish setting up TLS on Fastly under the security settings page
There are several options available for selection; please choose the one that best aligns with your specific use case. It is necessary to have access to your DNS system to validate ownership of your domains. You might consider reducing your TTL DNS records to prevent delays in DNS propagation.
Setting up TLS with certificates managed by Fastly
3. Upload any necessary VCL snippets
Fastly offers plugins specifically designed for integration with WordPress and Drupal. These modules will automatically establish a connection to the Fastly service upon the provision of the required credentials and will include custom VCL snippets that must be uploaded to ensure proper functionality. These modules will purge content from the Fastly cache when editors update it.
Modules/Plugins:
Create a Fastly Token for your application to establish a connection with your Fastly service.
It is necessary to store two environment variables for the modules to connect automatically.
platform variable:create -y --level environment --inheritable false --sensitive false -p <PROJECT> -e <ENVIRONMENT> --name env:FASTLY_API_SERVICE --value <FASTLY SERVICE ID> --no-wait
platform variable:create -y --level environment --inheritable false --sensitive true -p <PROJECT> -e <ENVIRONMENT> --name env:FASTLY_API_TOKEN --value <FASTLY TOKEN> --no-wait
4. Go Live
Please confirm that the custom domain has been successfully integrated into the Platform.sh production environment.
It is necessary to disable the router cache on Platform.sh.
Additionally, please update your DNS settings to ensure that your custom domain is routed through the Fastly CDN network.
If you utilize any uptime monitoring solutions, it is recommended to establish a health check monitoring endpoint that is not cached. Both the WordPress and Drupal communities provide modules that facilitate this process.
Additional Resources:
Platform.sh - Set up your Fastly CDN
Platform.sh - GoLive Troubleshooting
Fastly Code Examples
Fastly provides numerous code examples for various needs. Visit their code examples to begin.
Managed Fastly CDN
- Dedicated projects include a Managed Fastly CDN by default
- To add a managed Fastly CDN to your project, contact sales
- To modify any settings for a managed Fastly CDN, open a support ticket
Protect your site from on-path attacks
An on-path attack occurs when a hacker intercepts or modifies the communication between a client and a server. This can lead to sensitive data leaks. To prevent such attacks, make sure all communication with your site is encrypted through HTTPS and can’t be downgraded to HTTP.
To do so, enable HTTP strict transport security (HSTS). HSTS forces clients to always communicate with your site over HTTPS.
You can enable HSTS in your Fastly account. All HTTP requests are then automatically redirected to HTTPS.
Using the IP block list
You can prevent specific IP addresses from accessing your service by adding them to a block list. Enabling this feature creates a condition and response that returns a 403 error to anyone trying to access the service from a blocked IP address. You can use this feature to prevent bad actors from interfering with the operation of your web application.
https://docs.fastly.com/en/guides/using-the-ip-block-list
Block Bad User Agents
You can add VCL to check for known bad user agents like crawlers and deny their requests.
https://www.fastly.com/documentation/solutions/examples/block-bad-user-agents/
Serving Stale Cache
Sometimes its necessary to serve stale cache in situations where the origin may not be available.
https://www.fastly.com/documentation/solutions/tutorials/stale/
Custom Maintenance Page
Temporarily take your site offline and display a custom message with Fastly. You can restrict traffic using specific ACL rules to allow only administrators access.
https://docs.fastly.com/en/guides/creating-error-pages-with-custom-responses
https://docs.fastly.com/en/guides/about-acls