Fastly - Adding authorization to PURGE
Fastly lets you purge content either via the interactive dashboard or by the API.
When purging by API, by default there is no need to authenticate and no authorization checks.
This means that a simple call like the following wild card purge works right away.
curl -X PURGE http://www.yourdomain.com/images/*
However, let me show you how to limit the purge API only to authorized calls.
We're going to add a custom response of 401 (unathorized) if the method is PURGE, and a secret predefined secret is not present, very much like an API key.
On the service configuration, go to "Content" and select to add a new response. Select a 401 code. Click "Create".
Edit the new response, and select "Request Conditions".
Add a condition that checks for method FASTLYPURGE and non-existence of a required secret purge key. You can select any header but I recommend using something that will make sense later.
req.request == "FASTLYPURGE" && req.http.X-Purge-Auth != "somesecret"
The PURGE API now requires a "X-Purge-Auth" secret key to work.
Fastly - List of VCL variables (Views: 6637)
Varnish RegEx cheat sheet (Views: 815)
Fastly - how to Purge by Surrogate Key (Views: 2713)
Fastly - ESI support (Views: 1251)
EdgeCast - Adding a new user for Purge Only (Views: 1158)