Fastly Setup

The following screenshots illustrate how to configure Fastly to deliver content. Essential settings are marked with a red circle.

Create a Fastly service

Go to the Fastly Management UI and select Create Service, CDN.

Add Domain

Add your production domain (e.g. www.mydomain.com):

Configure Origin

Add your origin (e.g. main--mysite--hlxsites.aem.live) and keep the default settings for:

• Override default host
• Default compression
• Force TLS & HSTS

In the new configuration, click "Edit configuration" in the top right corner and "clone version 1 to edit".

In the sidebar, select "Hosts" underneath "Origins" and click the pencil icon to change host settings.

Scroll down and change Shielding to Ashburn Metro (IAD) (non-mandatory but recommended setting):

Don't forget to "update".

Create VCL Snippets

Create a VCL snippet for the recv subroutine with the following VCL code:

if (fastly.ff.visits_this_service == 0) {
  # edge delivery node
  if (req.url.qs != "") {
    # remember query string
    set req.http.X-QS = req.url.qs;

    if (req.url.path !~ "/media_[0-9a-f]{40,}[/a-zA-Z0-9_-]*\.[0-9a-z]+$" 
      && req.url.ext !~ "(?i)^(gif|png|jpe?g|webp)$"
      && req.url.ext != "json"
      && req.url.path != "/.auth") {
      # strip query string from request url
      set req.url = req.url.path;
    }
  }
}

Create additional VCL snippets for the miss and pass subroutines with the following VCL code:

set bereq.http.X-BYO-CDN-Type = "fastly";
set bereq.http.X-Push-Invalidation = "enabled";

Note: The X-Push-Invalidation: enabled request header enables the push invalidation including long cache TTLs.

Create a deliver snippet with the following VCL code:

if (fastly.ff.visits_this_service == 0) {
  # on edge delivery node
  if (
    http_status_matches(resp.status, "301,302,303,307,308")
    && req.http.X-QS
    && resp.http.location
    && resp.http.location !~ "\?.*\z"
  ) {
    # preserve request query string in redirect location
    set resp.http.location = resp.http.location "?" req.http.X-QS;
  }
}

Finally create a deliver snippet with the following VCL code:

unset resp.http.Age;

if (req.url.path !~ "\.plain\.html$") {
  unset resp.http.X-Robots-Tag;
}

After completing all steps and activating the service version you should be all set:

Optional: Authenticate Origin Requests

If you have enabled token-based Site Authentication, navigate in the sidebar to Content → Headers, then "create a header" with following settings:

• Name: Origin Authentication
• Type: Request/Set
• Destination: http.Authorization
• Source: "token <your-token-here>" (don't forget the quotes, and replace <your-token-here> with the site token retrieved in token-based Site Authentication – the token starts with hlx_)
• Ignore if set: no
• Priority: 10

Note

Edge Delivery Services needs no Web Application Firewall, as it is running on hardened, shared, and ultra-scalable infrastructure. Requests that a WAF would typically intercept are terminated in our CDNs.