Altitude San Francisco 2018: Programming the Edge

presents
Programming the
edge
Andrew Betts, Fastly

CDN
Your application
Traditional CDN model

Your application
Fastly as part of your app

Geo-IP API at the Edge
Redirects
Decoding auth cookies at the edge
Relative date insertion
Overriding TTLs based on content-type
Streaming server-sent-events
RUM logging and aggregation
Routing for microservices
CORS OPTIONS preflights at the edge
Serve robots.txt from the edge
Serve stale on origin failure
Getting creative at the edge
Partial content 'Range' requests
Time-limited URL tokens
Image optimization
Modern web security headers
GZip compression at the edge
Client public IP API at the edge
Google Cloud storage / AWS S3 origin
CAPTCHA challenge
Logging to Google BigQuery
Blocking obsolete TLS
Replace origin errors with 'safe' responses

Debugging today: headers
Fastly-Debug-Path:
Fastly-Debug-TTL:
X-Cache:
X-Cache-Hits:
(D cache-iad2150-IAD 1523245558) (F cache-iad2120-IAD 1523245558)
(D cache-lcy8132-LCY 1523245558) (F cache-lcy8149-LCY 1523245531)
(M cache-iad2150-IAD - - 0) (H cache-lcy8132-LCY - - 27)
HIT, MISS
1, 0

Washington, DC London
iad2150 iad2120
MISS
lcy8132 lcy8149
HIT!
27 sec old
1 previous hit

Fastly-Debug-Path:
(D cache-iad2150-IAD 1523245558)
(F cache-iad2120-IAD 1523245558)
(D cache-lcy8132-LCY 1523245558)
(F cache-lcy8149-LCY 1523245531)
Fastly-Debug-TTL:
(M cache-iad2150-IAD - - 0)
(H cache-lcy8132-LCY - - 27)

● Everything you enter into fiddle is public
● Please disable pop-up blocking for
fiddle.fastlydemo.net
● Deploying code to thousands of servers is not
instantaneous. Please be patient!
● We suggest you do each fiddle in a different tab, so
you still have them all to refer to at the end.
● Ask Fastly helpers if you get stuck

Exercises
Basics
Geoloca
tion
RUM Logging
Redirects
Paywall
A/B testing
Shielding
Authentication

Proxy and
cache
fiddle/5f263e69
Basics
1

Learn about fiddle
➔ Create a fiddle
➔ Set a fiddle title
➔ Configure a backend
➔ Execute the fiddle
➔ Use fiddle insights
fiddle/5f263e69
Basics
1
Learn about Fastly
➔ Edge cache

Exercises
Basics
Geoloca
tion
RUM Logging
Redirects
Paywall
A/B testing
Authentication
Shielding

Add extra data
fiddle/7a6cbc28
GeoIP headers
2

fiddle/7a6cbc28
GeoIP headers
2
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
➔ Autocompletion & linting
➔ Header highlighting
Learn about Fastly
➔ Edge cache
➔ Header manipulation
➔ Predefined VCL variables

fiddle/7a6cbc28
RECV:
set req.http.client-geo-continent = client.geo.continent_code;
set req.http.client-geo-country = client.geo.country_code;
set req.http.client-geo-city = client.geo.city;
set req.http.edge-geo-datacenter = server.datacenter;
set req.http.client-source-network = client.as.number;
GeoIP headers
2

No origin request
fiddle/b62fa9ee
RUM Logging
3
Batch and
write to log

fiddle/b62fa9ee
RUM Logging
3
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
➔ Log capture
Learn about Fastly
➔ Real time logging
➔ Synthetic responses

fiddle/b62fa9ee
RECV:
if (req.url ~ "^/log/?") {
error 901;
}
RUM Logging
3

fiddle/b62fa9ee
ERROR:
if (obj.status == 901) {
log "syslog " req.service_id " logger_name :: " req.url.qs;
set obj.status = 204;
set obj.response = "No content";
return (deliver);
}
RUM Logging
3

fiddle/b62fa9ee
Request URL:
/log?field1=foo&field2=bar&field3=42
RUM Logging
3

fiddle/b62fa9ee
ERROR:
set req.url = querystring.add(req.url, "city", client.geo.city);
set req.url = querystring.add(req.url, "dc", server.datacenter);
log "syslog " req.service_id " logger_name :: " req.url.qs;
set obj.response = "No content";
return (deliver)
}
RUM Logging
3

fiddle/7fc13ab0
Redirects
4
Redirect response
for old URLs
Allow valid URLs
to go to origin

fiddle/7fc13ab0
Redirects
4
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
Learn about Fastly
➔ Edge dictionaries

fiddle/7fc13ab0
INIT:
table redirects {
"/source1": "/dest1",
"/source2": "/dest2"
}
Redirects
4

fiddle/7fc13ab0
RECV:
if (table.lookup(redirects, req.url)) {
error 811;
}
Redirects
4

fiddle/7fc13ab0
ERROR:
set obj.http.Location = "https://" req.http.host table.lookup(redirects,
req.url);
set obj.response = "Moved permanently";
return (deliver);
}
Redirects
4

fiddle/7fc13ab0
Request URL:
/source1
Redirects
4

fiddle/9c137528
Paywall
5
Fetch content
$
Content includes Paywall header
Fetch paywall URL
Paywall returns 200 or 403
Serve content or paywall from cache

fiddle/9c137528
Paywall
5
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
➔ Multiple backends
➔ Custom request headers
Learn about Fastly
➔ Edge cache
➔ Restarts
➔ Custom origin routing

fiddle/9c137528
Request URL:
/article/kittens
Paywall
5
Origin servers:
https://fiddle-content-for-paywall.glitch.me
https://fiddle-paywall.glitch.me
Custom headers:
Cookie: sessionid=12345

fiddle/9c137528
DELIVER:
if (resp.http.Paywall ~ "^https?://[^/]+(.*)$" && !req.http.Paywall-Result) {
set req.http.paywallOrigUrl = req.url;
set req.url = re.group.1;
restart;
}
Paywall
5

fiddle/9c137528
RECV:
if (req.http.paywallOrigUrl) {
set req.backend = F_origin_1;
} else {
set req.backend = F_origin_0;
}
Paywall
5

fiddle/9c137528
DELIVER:
... previous code ...
if (resp.http.Paywall-Result && req.http.paywallOrigUrl) {
set req.http.Paywall-Result = resp.http.Paywall-Result;
set req.http.Paywall-Meta = resp.http.Paywall-Meta;
set req.url = req.http.paywallOrigUrl;
unset req.http.paywallOrigUrl;
restart;
}
Paywall
5

fiddle/38f96b56
A/B testing
6
Choose random tests,
then stick to them
Add extra data
Add A/B cookie

fiddle/38f96b56
A/B testing
6
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
➔ Multiple backends
➔ Custom request headers
➔ Browse mode
Learn about Fastly
➔ Edge cache
➔ Custom origin routing
➔ Hashing functions
➔ Randomness functions
➔ Vary
➔ Setting cookies
➔ Local variables

fiddle/38f96b56
Request URL:
/article/kittens
A/B testing
6
Origin server:
https://fiddle-ab.glitch.me

fiddle/38f96b56
RECV:
set req.http.ab = if (
req.http.Cookie:ab,
req.http.Cookie:ab,
uuid.version4()
);
A/B testing
6

fiddle/38f96b56
DELIVER:
if (!req.http.Cookie:ab) {
add resp.http.Set-Cookie = "ab=" req.http.ab "; max-age=31536000; path=/; secure";
set resp.http.Cache-Control = "no-store";
}
A/B testing
6

fiddle/38f96b56
A/B testing
6
0 100
0 100
User = “fgj592hfe”...
+ “header” = 53
+ “buttonSize” = 87

fiddle/38f96b56
RECV:
declare local var.userTestSlot INTEGER;
set var.userTestSlot = std.atoi(if(
digest.hash_md5(req.http.ab "header") ~ "(d).*?(d)",
re.group.1 re.group.2, "0"
));
set req.http.ab-header = if (var.userTestSlot <= 50, "normal", "cute");
A/B testing
6

fiddle/38f96b56
RECV:
... previous code ...
set var.userTestSlot = std.atoi(if(
digest.hash_md5(req.http.ab "buttonSize") ~ "(d).*?(d)",
re.group.1 re.group.2, "0"
));
set req.http.ab-buttonSize =
if (var.userTestSlot <= 20, "small",
if (var.userTestSlot <= 30, "medium",
"large"
));
A/B testing
6

fiddle/32f9f345
Shielding
7
Close to
user
Close to
origin

fiddle/32f9f345
Shielding
7
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
➔ Shielding
Learn about Fastly
➔ Edge cache
➔ Header manipulation
➔ Shielding
➔ Passing the cache

fiddle/32f9f345
RECV:
if (!req.http.Fastly-FF) {
return(pass);
}
Shielding
7
OPTIONS:
Clustering, Shielding

★ Try inverting the Fastly-FF test to move the pass to the Shield,
instead of the Edge
fiddle/32f9f345
Shielding
7

fiddle/a5bfbcce
Authentication
8
Learn about fiddle
➔ Create a fiddle
➔ Write VCL
➔ Log capture
Learn about Fastly
➔ Edge cache
➔ Local variables
➔ Hashing functions
➔ Querystring functions
➔ Time comparison functions

fiddle/a5bfbcce
Authentication
8
/video.mp4?token=45mfw94... /video.mp4

fiddle/a5bfbcce
INIT:
table config {
"secret": "my-super-secret-string",
}
Authentication
8

fiddle/a5bfbcce
RECV:
declare local var.token STRING;
declare local var.expiryTime TIME;
declare local var.suppliedSig STRING;
declare local var.expectedSig STRING;
set var.token = subfield(req.url.qs, "token", "&");
Authentication
8

fiddle/a5bfbcce
RECV:
set var.token = subfield(req.url.qs, "token", "&");
if (var.token ~ "^(d+?)_(.+)$") {
set var.expiryTime = std.integer2time(std.atoi(re.group.1));
set var.suppliedSig = re.group.2;
set var.expectedSig = digest.hmac_sha1_base64(
table.lookup(config, "secret"),
req.url.path var.expiryTime /* client.ip req.http.User-Agent */
);
} else {
error 901;
}
Authentication
8

fiddle/a5bfbcce
RECV:
if (var.token ~ "^(d+?)_(.+)$") {
...
if (var.suppliedSig != var.expectedSig) {
log "Sig is incorrect, expected " var.expectedSig;
error 902;
}
if (time.is_after(now, var.expiryTime)) {
error 903;
}
}
Authentication
8

fiddle/a5bfbcce
RECV:
if (var.token ~ "^(d+?)_(.+)$") {
...
set req.url = querystring.filter(req.url, "token");
}
Authentication
8

● Explore more solutions at fastly.com/demos
● Try fiddle yourself at fiddle.fastlydemo.net
● Got something good? Let us know in community.fastly.com or
email me: abetts@fastly.com.
● Remember all fiddle content is public
Programming the edge

Altitude San Francisco 2018: Programming the Edge

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Altitude San Francisco 2018: Programming the Edge

Similar to Altitude San Francisco 2018: Programming the Edge (20)

More from Fastly

More from Fastly (20)

Recently uploaded

Recently uploaded (20)

Altitude San Francisco 2018: Programming the Edge