Custom Varnish configuration

This document contains information about custom Varnish configuration for Cloud Platform Enterprise applications.

Note

Custom Varnish configurations are available only to Cloud Platform Enterprise subscriptions with dedicated load balancers and Site Factory customers with Technical Account Manager (TAM). CDNs do not support custom Varnish configurations.

Cloud Platform installs Varnish Cache, a caching reverse proxy, in front of all Cloud Platform load balancing infrastructure. To modify the behavior of Varnish, you must create a custom Varnish configuration using Varnish’s domain-specific programming language, VCL. For more information about how Varnish caching benefits your website, visit Using Varnish.

To deploy a custom Varnish configuration, create a Support ticket. Acquia will provide you with a test balancer for one week to test your new custom VCL. However, creating and testing the custom VCL is your responsibility.

Cloud Platform Enterprise customers must create a Support ticket to request a copy of the full VCL, based on their contractual NDA. Acquia does not disclose the configuration of the Nginx infrastructure, as the configuration is both proprietary and subject to change without notice. Acquia Support does not provide support for specific VCL customizations.

Allowed Varnish configuration use case

The following is the only permitted use case for custom Varnish configurations in Cloud Platform:

Varnish Access Control Lists (vACL): Allow or deny access to a website by IP address or range. Excluding based on paths is prohibited. For more information, visit Customized ACLs on Cloud Platform.

Custom Varnish configuration schedule

Acquia deploys custom Varnish configurations on a weekly schedule.

To deploy your custom Varnish configuration:

Create a Support ticket to determine if one of the allowed VCL modifications is an appropriate solution for your needs.
Request a copy of your current VCL from Acquia.
Supply Acquia the list of environments in front of which you want to place the test load balancer.
Choose to either supply a new VCL file, or request to reinstate the default Acquia VCL, by Monday at 12:00 PM Eastern Standard Time (EST) (convert to UTC).
- If you choose to supply a new VCL file, you must supply the entire VCL file, and not only the lines you want to change.
- If you choose to reinstate the default Acquia VCL, explicitly state this request in your Support ticket. You do not need to submit a VCL file in this case.
  Note
  VCL files on Cloud Platform must be less than 128 KB in size.
Acquia deploys a test load balancer with the new VCL no later than 17:00 Eastern (North America) Time on Tuesday.
Test that the new features work as expected.
To test the VCL on the test load balancer,

Acquia release schedule

VCL updates restart Varnish and clear Varnish cache. To minimize disruption, Acquia releases VCL files during non-peak periods, according to the following schedule:

Region	Data centers	Time
Asia-Pacific and Japan *	AP-southeast-2, AP-southeast-1, AP-northeast-1	19:00–20:00 UTC Thursday
Europe and Africa	EU-central-1, EU-west-1	04:00–05:00 UTC Friday
Americas	SA-east-1, US-east-1, CA-central-1, US-west-2	07:00–08:00 UTC Friday

* Default window

Customized ACLs on Cloud Platform

Custom Varnish Access Control Lists (vACLs) provided as part of a custom VCL must have the following structure:

Multiple allowlist and denylist rules may be created for each application.
Individual rules may be applied to multiple domain names on multiple environments.
Access control rules must be organized by domain name, and must not reuse domain name references.
All IPv4 addresses must be requested from the customer.

Note

If a CDN is present, an Access Control List in a cVCL is not applied to cached traffic at the CDN level. If you have a CDN, ensure that you apply access restrictions through the CDN.

To configure an ACL:

In the VCL file, locate the following section:

########################################################### <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
########################################################### <-- keep this line
# acl customername {                                        <-- uncomment + edit
#   "10.10.9.1";     /* Website developer Annie.       */   <-- uncomment + edit
#   "10.10.9.2";     /* Joe at Operations.             */   <-- uncomment + edit
#   "10.10.10.0"/24; /* Entire team of editors.        */   <-- uncomment + edit
#   ! "10.10.11.1";  /* Except Chris.                  */   <-- uncomment + edit
# }                                                         <-- uncomment
########################################################### <-- keep this line

Uncomment the editable lines:

########################################################### <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
########################################################### <-- keep this line
acl customername {
  "10.10.9.1";     /* Website developer Annie.       */
  "10.10.9.2";     /* Joe at Operations.             */
  "10.10.10.0"/24; /* Entire team of editors.        */
  ! "10.10.11.1";  /* Except Chris.                  */
}
########################################################### <-- keep this line

Change the name of the ACL:
```
acl MyCustomer {
```

Replace the template IP addresses with the IPv4 addresses that you want to allow:

"233.163.58.255";     /* Office HQ                */
"17.57.71.1";         /* European partner agency  */
"238.243.52.0"/24;    /* Address range CI tooling */

In the VCL file, locate the enforcement section:

#########################################################        <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######        <-- keep this line
#########################################################        <-- keep this line
# if (!req.http.X-Acquia-Request &&                              <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls &&  <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal && <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ customername) { <-- edit acl name
#     return (synth(404, "Not Found"));                          <-- uncomment
# }                                                              <-- uncomment
#########################################################        <-- keep this line

Using Custom Varnish Configuration file with Acquia Purge

If your Cloud Next application uses a Custom Varnish Configuration (cVCL) file to restrict access based on IP addresses, you might experience issues with the Acquia Purge module. This occurs because purge requests originate from Web EIP addresses in Cloud Next. By default, such requests are blocked if you do not explicitly allowlist the Web EIPs in your cVCL.

Workaround:

Contact Acquia Support to enable Web EIPs.
Update your custom VCL to allowlist the Web EIP addresses.

Database backups following the VCL access list update

After adding an access control list to your Varnish configuration file, you may not be able to download database backups through the Cloud user interface. It happens because while limiting access to your sites, your access control list also limits access to your Acquia default domain, such as example.prod.acquia-sites.com, that is required for database downloads to function.

To perform database backups:

In the access control list of your VCL, add the IP addresses that can download backups.
Perform database downloads through the Cloud API.

Allowed Varnish configuration use case

The following is the only permitted use case for custom Varnish configurations in Cloud Platform:

Varnish Access Control Lists (vACL): Allow or deny access to a website by IP address or range. Excluding based on paths is prohibited. For more information, visit Customized ACLs on Cloud Platform.

Custom Varnish configuration schedule

Acquia deploys custom Varnish configurations on a weekly schedule.

To deploy your custom Varnish configuration:

Create a Support ticket to determine if one of the allowed VCL modifications is an appropriate solution for your needs.
Request a copy of your current VCL from Acquia.
Supply Acquia the list of environments in front of which you want to place the test load balancer.
Choose to either supply a new VCL file, or request to reinstate the default Acquia VCL, by Monday at 12:00 PM Eastern Standard Time (EST) (convert to UTC).
- If you choose to supply a new VCL file, you must supply the entire VCL file, and not only the lines you want to change.
- If you choose to reinstate the default Acquia VCL, explicitly state this request in your Support ticket. You do not need to submit a VCL file in this case.
  Note
  VCL files on Cloud Platform must be less than 128 KB in size.
Acquia deploys a test load balancer with the new VCL no later than 17:00 Eastern (North America) Time on Tuesday.
Test that the new features work as expected.
To test the VCL on the test load balancer,

Acquia release schedule

VCL updates restart Varnish and clear Varnish cache. To minimize disruption, Acquia releases VCL files during non-peak periods, according to the following schedule:

Region	Data centers	Time
Asia-Pacific and Japan *	AP-southeast-2, AP-southeast-1, AP-northeast-1	19:00–20:00 UTC Thursday
Europe and Africa	EU-central-1, EU-west-1	04:00–05:00 UTC Friday
Americas	SA-east-1, US-east-1, CA-central-1, US-west-2	07:00–08:00 UTC Friday

* Default window

Customized ACLs on Cloud Platform

Custom Varnish Access Control Lists (vACLs) provided as part of a custom VCL must have the following structure:

Multiple allowlist and denylist rules may be created for each application.
Individual rules may be applied to multiple domain names on multiple environments.
Access control rules must be organized by domain name, and must not reuse domain name references.
All IPv4 addresses must be requested from the customer.

Note

If a CDN is present, an Access Control List in a cVCL is not applied to cached traffic at the CDN level. If you have a CDN, ensure that you apply access restrictions through the CDN.

To configure an ACL:

In the VCL file, locate the following section:

########################################################### <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
########################################################### <-- keep this line
# acl customername {                                        <-- uncomment + edit
#   "10.10.9.1";     /* Website developer Annie.       */   <-- uncomment + edit
#   "10.10.9.2";     /* Joe at Operations.             */   <-- uncomment + edit
#   "10.10.10.0"/24; /* Entire team of editors.        */   <-- uncomment + edit
#   ! "10.10.11.1";  /* Except Chris.                  */   <-- uncomment + edit
# }                                                         <-- uncomment
########################################################### <-- keep this line

Uncomment the editable lines:

########################################################### <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
########################################################### <-- keep this line
acl customername {
  "10.10.9.1";     /* Website developer Annie.       */
  "10.10.9.2";     /* Joe at Operations.             */
  "10.10.10.0"/24; /* Entire team of editors.        */
  ! "10.10.11.1";  /* Except Chris.                  */
}
########################################################### <-- keep this line

Change the name of the ACL:
```
acl MyCustomer {
```

Replace the template IP addresses with the IPv4 addresses that you want to allow:

"233.163.58.255";     /* Office HQ                */
"17.57.71.1";         /* European partner agency  */
"238.243.52.0"/24;    /* Address range CI tooling */

In the VCL file, locate the enforcement section:

#########################################################        <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######        <-- keep this line
#########################################################        <-- keep this line
# if (!req.http.X-Acquia-Request &&                              <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls &&  <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal && <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ customername) { <-- edit acl name
#     return (synth(404, "Not Found"));                          <-- uncomment
# }                                                              <-- uncomment
#########################################################        <-- keep this line

Using Custom Varnish Configuration file with Acquia Purge

Workaround:

Contact Acquia Support to enable Web EIPs.
Update your custom VCL to allowlist the Web EIP addresses.

Database backups following the VCL access list update

To perform database backups:

In the access control list of your VCL, add the IP addresses that can download backups.
Perform database downloads through the Cloud API.

Allowed Varnish configuration use case

The following is the only permitted use case for custom Varnish configurations in Cloud Platform:

Varnish Access Control Lists (vACL): Allow or deny access to a website by IP address or range. Excluding based on paths is prohibited. For more information, visit Customized ACLs on Cloud Platform.

Custom Varnish configuration schedule

Acquia deploys custom Varnish configurations on a weekly schedule.

To deploy your custom Varnish configuration:

Create a Support ticket to determine if one of the allowed VCL modifications is an appropriate solution for your needs.
Request a copy of your current VCL from Acquia.
Supply Acquia the list of environments in front of which you want to place the test load balancer.
Choose to either supply a new VCL file, or request to reinstate the default Acquia VCL, by Monday at 12:00 PM Eastern Standard Time (EST) (convert to UTC).
- If you choose to supply a new VCL file, you must supply the entire VCL file, and not only the lines you want to change.
- If you choose to reinstate the default Acquia VCL, explicitly state this request in your Support ticket. You do not need to submit a VCL file in this case.
  Note
  VCL files on Cloud Platform must be less than 128 KB in size.
Acquia deploys a test load balancer with the new VCL no later than 17:00 Eastern (North America) Time on Tuesday.
Test that the new features work as expected.
To test the VCL on the test load balancer,

Acquia release schedule

VCL updates restart Varnish and clear Varnish cache. To minimize disruption, Acquia releases VCL files during non-peak periods, according to the following schedule:

Region	Data centers	Time
Asia-Pacific and Japan *	AP-southeast-2, AP-southeast-1, AP-northeast-1	19:00–20:00 UTC Thursday
Europe and Africa	EU-central-1, EU-west-1	04:00–05:00 UTC Friday
Americas	SA-east-1, US-east-1, CA-central-1, US-west-2	07:00–08:00 UTC Friday

* Default window

Customized ACLs on Cloud Platform

Custom Varnish Access Control Lists (vACLs) provided as part of a custom VCL must have the following structure:

Multiple allowlist and denylist rules may be created for each application.
Individual rules may be applied to multiple domain names on multiple environments.
Access control rules must be organized by domain name, and must not reuse domain name references.
All IPv4 addresses must be requested from the customer.

Note

If a CDN is present, an Access Control List in a cVCL is not applied to cached traffic at the CDN level. If you have a CDN, ensure that you apply access restrictions through the CDN.

To configure an ACL:

In the VCL file, locate the following section:

########################################################### <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
########################################################### <-- keep this line
# acl customername {                                        <-- uncomment + edit
#   "10.10.9.1";     /* Website developer Annie.       */   <-- uncomment + edit
#   "10.10.9.2";     /* Joe at Operations.             */   <-- uncomment + edit
#   "10.10.10.0"/24; /* Entire team of editors.        */   <-- uncomment + edit
#   ! "10.10.11.1";  /* Except Chris.                  */   <-- uncomment + edit
# }                                                         <-- uncomment
########################################################### <-- keep this line

Uncomment the editable lines:

########################################################### <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######## <-- keep this line
########################################################### <-- keep this line
acl customername {
  "10.10.9.1";     /* Website developer Annie.       */
  "10.10.9.2";     /* Joe at Operations.             */
  "10.10.10.0"/24; /* Entire team of editors.        */
  ! "10.10.11.1";  /* Except Chris.                  */
}
########################################################### <-- keep this line

Change the name of the ACL:
```
acl MyCustomer {
```

Replace the template IP addresses with the IPv4 addresses that you want to allow:

"233.163.58.255";     /* Office HQ                */
"17.57.71.1";         /* European partner agency  */
"238.243.52.0"/24;    /* Address range CI tooling */

In the VCL file, locate the enforcement section:

#########################################################        <-- keep this line
## CUSTOMIZABLE SECTION: Access Control List (ACL) ######        <-- keep this line
#########################################################        <-- keep this line
# if (!req.http.X-Acquia-Request &&                              <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ acquia_acls &&  <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ aws_internal && <-- uncomment
#     std.ip(req.http.client-ip, "127.0.0.2") !~ customername) { <-- edit acl name
#     return (synth(404, "Not Found"));                          <-- uncomment
# }                                                              <-- uncomment
#########################################################        <-- keep this line

Using Custom Varnish Configuration file with Acquia Purge

Workaround:

Contact Acquia Support to enable Web EIPs.
Update your custom VCL to allowlist the Web EIP addresses.

Database backups following the VCL access list update

To perform database backups:

In the access control list of your VCL, add the IP addresses that can download backups.
Perform database downloads through the Cloud API.

Get Answers

Search

Search

Allowed Varnish configuration use case

Custom Varnish configuration schedule

Acquia release schedule

Customized ACLs on Cloud Platform

Using Custom Varnish Configuration file with Acquia Purge

Database backups following the VCL access list update

Related topics

Allowed Varnish configuration use case

Custom Varnish configuration schedule

Acquia release schedule

Customized ACLs on Cloud Platform

Using Custom Varnish Configuration file with Acquia Purge

Database backups following the VCL access list update

Related topics

Allowed Varnish configuration use case

Custom Varnish configuration schedule

Acquia release schedule

Customized ACLs on Cloud Platform

Using Custom Varnish Configuration file with Acquia Purge

Database backups following the VCL access list update

Related topics

Did not find what you were looking for?

Did not find what you were looking for?