This document contains information about custom Varnish configuration for Cloud Platform Enterprise applications.
This documentation page describes the specific Varnish® configurations allowed in Cloud Platform.
Cloud Platform installs Varnish Cache, a caching reverse proxy, in front of all Cloud Platform load balancing infrastructure. To modify the behavior of Varnish, you must create a custom Varnish configuration using Varnish’s domain-specific programming language, VCL.
For more information about how Varnish caching benefits your website, see Using Varnish.
To deploy a custom Varnish configuration, create a Support ticket. Acquia will provide you with a test environment for one week to test your new custom VCL. However, creating and testing the custom VCL is your responsibility.
Cloud Platform Enterprise customers must create a Support ticket to request a copy of the full VCL, based on their contractual NDA. Acquia does not disclose the configuration of our Nginx infrastructure, as the configuration is both proprietary and subject to change without notice. Acquia Support does not provide support for specific VCL customizations.
Allowed Varnish configuration use case
The following is the only permitted use case for custom Varnish configurations in Cloud Platform:
Varnish Access Control Lists (vACL): Allow or deny access to a website by IP address or range. Excluding based on paths is prohibited. For more information, see Customized ACLs on Cloud Platform.
Custom Varnish configuration schedule
Acquia deploys custom Varnish configurations on a weekly schedule.
To deploy your custom Varnish configuration:
Create a Support ticket to determine if one of the allowed VCL modifications is an appropriate solution for your needs.
Request a copy of your current VCL from Acquia.
Supply Acquia the list of environments in front of which you want to place the test load balancer.
Choose to either supply a new VCL file, or request to reinstate the default Acquia VCL, by Monday at 12:00 PM Eastern Standard Time (EST) (convert to UTC).
If you choose to supply a new VCL file, you must supply the entire VCL file, and not only the lines you want to change.
If you choose to reinstate the default Acquia VCL, explicitly state this request in your Support ticket. You do not need to submit a VCL file in this case.
Note
VCL files on Cloud Platform must be less than 128 KB in size.
Acquia deploys a test load balancer with the new VCL no later than 17:00 Eastern (North America) Time on Tuesday.
Test that the new features work as expected.
To test the VCL on the test load balancer, modify the hosts file on your local machine to point to the IP address of the test load balancer.
If you encounter any issues requiring a revised VCL, submit a revised VCL no later than 09:00 Eastern (North America) Time on Wednesday for Acquia to apply the revised VCL to the test load balancer.
Complete any testing and confirm your approval no later than 15:00 Eastern (North America) Time on Wednesday.
Note
Acquia performs code reviews between 15:00 Eastern (North America) Time on Wednesday and 15:00 Eastern (North America) Time on Thursday.
Acquia releases VCL files during non-peak periods. For more information, see Acquia release schedule.
Specify your preferred window in the Support ticket for the custom VCL update.
After you test and approve the custom VCL, Acquia adds it to the tasks scheduled for that maintenance window.
Acquia release schedule
VCL updates restart Varnish and clear Varnish cache. To minimize disruption, Acquia releases VCL files during non-peak periods, according to the following schedule:
Region | Data centers | Time |
|---|---|---|
Asia-Pacific and Japan * | AP-southeast-2, AP-southeast-1, AP-northeast-1 | 19:00–20:00 UTC Thursday |
Europe and Africa | EU-central-1, EU-west-1 | 04:00–05:00 UTC Friday |
Americas | SA-east-1, US-east-1, CA-central-1, US-west-2 | 07:00–08:00 UTC Friday |
* Default window
Customized ACLs on Cloud Platform
Custom Varnish Access Control Lists (vACLs) provided as part of a custom VCL must have the following structure:
Multiple allowlist and denylist rules may be created for each application.
Individual rules may be applied to multiple domain names on multiple environments.
Access control rules must be organized by domain name, and must not reuse domain name references.
All IPv4 addresses must be requested from the customer.
Note
If a CDN is present, an Access Control List in a cVCL is not applied to cached traffic at the CDN level. If you have a CDN, ensure that you apply access restrictions through the CDN.
To configure an ACL:
In the VCL file, locate the following section:
########################################################### <-- keep this line ## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line ########################################################### <-- keep this line # acl customername { <-- uncomment + edit # "10.10.9.1"; /* Website developer Annie. */ <-- uncomment + edit # "10.10.9.2"; /* Joe at Operations. */ <-- uncomment + edit # "10.10.10.0"/24; /* Entire team of editors. */ <-- uncomment + edit # ! "10.10.11.1"; /* Except Chris. */ <-- uncomment + edit # } <-- uncomment ########################################################### <-- keep this lineUncomment the editable lines:
########################################################### <-- keep this line ## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line ########################################################### <-- keep this line acl customername { "10.10.9.1"; /* Website developer Annie. */ "10.10.9.2"; /* Joe at Operations. */ "10.10.10.0"/24; /* Entire team of editors. */ ! "10.10.11.1"; /* Except Chris. */ } ########################################################### <-- keep this lineChange the name of the ACL:
acl MyCustomer {Replace the template IP addresses with the IPv4 addresses that you want to allow:
"233.163.58.255"; /* Office HQ */ "17.57.71.1"; /* European partner agency */ "238.243.52.0"/24; /* Address range CI tooling */In the VCL file, locate the enforcement section:
######################################################### <-- keep this line ## CUSTOMIZABLE SECTION: Access Control List (ACL) ###### <-- keep this line ######################################################### <-- keep this line # if (!req.http.X-Acquia-Request && <-- uncomment # std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls && <-- uncomment # std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal && <-- uncomment # std.ip(req.http.client-ip, "127.0.0.2") !~ customername) { <-- edit acl name # return (synth(404, "Not Found")); <-- uncomment # } <-- uncomment ######################################################### <-- keep this lineUncomment the code section:
######################################################### <-- keep this line ## CUSTOMIZABLE SECTION: Access Control List (ACL) ###### <-- keep this line ######################################################### <-- keep this line if (!req.http.X-Acquia-Request && std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls && std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal && std.ip(req.http.client-ip, "127.0.0.2") !~ customername) { return (synth(404, "Not Found")); } ######################################################### <-- keep this lineIn the
std.ip(req.http.client-ip, "127.0.0.2") !~ customername) {line, replace the textcustomernamewith the ACL name that you defined earlier.Save the VCL file.
Database backups following the VCL access list update
After adding an access control list to your Varnish configuration file, you may not be able to download database backups through the Cloud user interface. It happens because while limiting access to your sites, your access control list also limits access to your Acquia default domain, such as example.prod.acquia-sites.com, that is required for database downloads to function.
To perform database backups:
In the access control list of your VCL, add the IP addresses that can download backups.
Perform database downloads through the Cloud API.