Configuring push invalidation for BYO production CDN

Push invalidation automatically purges content on the customer's production CDN (e.g. www.yourdomain.com), whenever an author publishes content changes or a developer pushes code changes to the main branch (changes on other branches do not trigger push invalidation).

Content is purged by url and by cache tag/key.

Setting up push invalidation requires 2 steps:

Configuration

Push invalidation is currently supported for CDNs of the following vendors:

Push invalidation is enabled by adding specific properties to the project's configuration (an Excel workbook named .helix/config.xlsx in Sharepoint or a Google Sheet named .helix/config in Google Drive).

The following sections describe the vendor specific properties required to set up push invalidation.

Fastly

Configuration properties:

key value comment
cdn.prod.host <Production Host> Host name of production site, e.g. www.yourdomain.com
cdn.prod.type fastly
cdn.prod.serviceId <Fastly Service ID> Service ID of production service
cdn.prod.authToken <Fastly API Token>

Create a Fastly API Token

You can validate the credentials with this tool.

Akamai

Configuration properties

key value comment
cdn.prod.host <Production Host> Host name of production site, e.g. www.yourdomain.com
cdn.prod.type akamai
cdn.prod.endpoint <host> Fast Purge API credentials
cdn.prod.clientSecret <client_secret> Fast Purge API credentials
cdn.prod.clientToken <client_token> Fast Purge API credentials
cdn.prod.accessToken <access_token> Fast Purge API credentials

Push invalidation uses the Akamai Fast Purge API, specifically Delete by URL and Delete by cache tag.

The Fast Purge API credentials consist of

host = akaa-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.luna.akamaiapis.net
client_token = akab-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX
client_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
access_token = akab-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX

They can be generated by following the instructions at Create an API client with custom permissions.

Identity & Access Management

Create API client



Required group/role permissions:

You can validate the credentials with this tool.

Cloudflare

Configuration properties

key value comment
cdn.prod.host <Production Host> Host name of production site, e.g. www.yourdomain.com
cdn.prod.type cloudflare
cdn.prod.plan e.g. free

values: free, pro, business, enterprise

default: free

only enterprise plan supports purge-by-tag

cdn.prod.zoneId <Cloudflare Zone ID> ID of production zone
cdn.prod.apiToken <Cloudflare API Token>

Create an API Token

Note that only sites on the enterprise plan will be surgically purged by url and cache key. A Purge All will be performed instead on non-enterprise sites every time an author publishes a content change.

You can validate the credentials with this tool.

CloudFront

NB: CloudFront does NOT support purging by cache tag/key. Purge by cache tag/key always triggers a purge all.

Configuration properties

key value comment
cdn.prod.host <Production Host> Host name of production site, e.g. www.yourdomain.com
cdn.prod.type cloudfront
cdn.prod.distributionId <Cloudfront Distribution ID>
cdn.prod.accessKeyId <AWS Access key ID> AWS credentials
cdn.prod.secretAccessKey <AWS Secret access key> AWS credentials

Create the AWS credentials

In the AWS Console, open the IAM dashboard:

Select Users -> Add users:

Enter a user name and check “Access key - Programmatic access”:

On the “Set permissions” pane, click on “Create group”:

Enter a group name and select the CloudFrontFullAccess policy:

Create the user:

Finally, copy the Access key ID and Secret access key values:

You can validate the credentials with this tool.

Opt-In Request Header

The production CDN needs to send the following opt-in header to the origin in order to enable long cache TTLs:

X-Push-Invalidation: enabled