Blocking IPs while using Platform CDN

​With our current implementation of Platform CDN, the original IP address of client end users are not forwarded to Drupal in the normal way. This means that some modules which rely on client IP address for example blocking modules such as advblock, cannot function properly. 

This guide will show you how to block requests that reach you application using htaccess.

• First, you should submit an Acquia Support Ticket requesting a reverse proxy header set for Fastly-Client-IP. This is the header that we will be using to forward the original client header to your Drupal application. Please note that this first step could take some time to set up depending on internal resources.  
•  Once that is done, you can add this script to your htaccess file. This script will uses the Fastly-Client-IP header to block access to the entire application. 

<IfModule mod_setenvif.c>
 SetEnvIf Fastly-Client-IP ^[Enter IP here] DENY=1
 Order allow,deny
 Allow From All
 Deny from env=DENY
</IfModule>

That IP is now blocked from accessing the application.

Please note that this only works for requests for content that is not cached at the CDN and not cached at Varnish. That means any POST request, or any GET request where the response header 'Cache-Control: private' is set.

If you try to block by IP address for cacheable objects, the cache (Varnish or CDN) will cache the blocked response and then all clients will receive the blocked response from the cache.