Add new edge configuration for Chat.

In normal operation Fastly will send traffic directly to the origin unless we set the disable_service variable to true, then it will return a 503 error.
alphagov · Aug 14, 2024 · 85b1e96 · 85b1e96
1 parent e0758ec
commit 85b1e96
Show file tree

Hide file tree

Showing 7 changed files with 476 additions and 0 deletions.
diff --git a/chat.tf b/chat.tf
@@ -0,0 +1,41 @@
+module "chat-integration" {
+  source = "./modules/chat"
+
+  configuration = {
+    environment = "integration"
+    git_hash    = var.TFC_CONFIGURATION_VERSION_GIT_COMMIT_SHA
+    probe       = "/"
+  }
+
+  secrets = yamldecode(var.chat_integration)
+
+  dictionaries = local.dictionaries
+}
+
+module "chat-staging" {
+  source = "./modules/chat"
+
+  configuration = {
+    environment = "staging"
+    git_hash    = var.TFC_CONFIGURATION_VERSION_GIT_COMMIT_SHA
+    probe       = "/"
+  }
+
+  secrets = yamldecode(var.chat_staging)
+
+  dictionaries = local.dictionaries
+}
+
+module "chat-production" {
+  source = "./modules/chat"
+
+  configuration = {
+    environment = "production"
+    git_hash    = var.TFC_CONFIGURATION_VERSION_GIT_COMMIT_SHA
+    probe       = "/"
+  }
+
+  secrets = yamldecode(var.chat_production)
+
+  dictionaries = local.dictionaries
+}
diff --git a/modules/chat/chat.vcl.tfpl b/modules/chat/chat.vcl.tfpl
@@ -0,0 +1,206 @@
+backend F_awsorigin {
+    .connect_timeout = 5s;
+    .dynamic = true;
+    .port = "${aws_origin_port}";
+    .host = "${aws_origin_hostname}";
+    .first_byte_timeout = 15s;
+    .max_connections = 200;
+    .between_bytes_timeout = 10s;
+
+    .ssl = true;
+    .ssl_check_cert = always;
+    .min_tls_version = "${minimum_tls_version}";
+    .ssl_ciphers = "${ssl_ciphers}";
+    .ssl_cert_hostname = "${aws_origin_hostname}";
+    .ssl_sni_hostname = "${aws_origin_hostname}";
+
+    .probe = {
+        .dummy = ${probe_dns_only};
+        .request =
+            "HEAD /__canary__ HTTP/1.1"
+            "Host: ${aws_origin_hostname}"
+            "User-Agent: Fastly healthcheck (Git commit: ${git_hash})"
+            "Connection: close";
+        .threshold = 1;
+        .window = 2;
+        .timeout = 5s;
+        .initial = 1;
+        .expected_response = 200;
+        .interval = ${probe_interval};
+      }
+}
+
+acl purge_ip_allowlist {
+%{ if environment == "integration" ~}
+  "34.248.229.46";  # AWS Integration NAT gateways
+  "34.248.44.175";
+  "52.51.97.232";
+  "18.203.77.149";  # EKS Integration NAT gateways
+  "52.212.155.150";
+  "18.202.190.16";
+%{ endif ~}
+%{ if environment == "staging" ~}
+  "18.203.108.248";  # AWS Staging NAT gateways
+  "18.202.183.143";
+  "18.203.90.80";
+  "108.128.15.82";   # EKS Staging NAT gateways
+  "46.137.141.50";
+  "18.200.65.72";
+%{ endif ~}
+%{ if environment == "production" ~}
+  "18.202.136.43";   # AWS Production NAT gateways
+  "34.246.209.74";
+  "34.253.57.8";
+  "63.33.241.191";   # EKS Production NAT gateways
+  "52.208.193.230";
+  "54.220.6.200";
+  "52.51.83.47";     # EKS Production licensify NAT gateways
+  "46.137.63.103";
+  "34.249.23.204";
+%{ endif ~}
+}
+
+sub vcl_recv {
+  ${indent(2, file("${module_path}/../shared/_boundary_headers.vcl.tftpl"))}
+
+  # Require authentication for FASTLYPURGE requests unless from IP in ACL
+  if (req.request == "FASTLYPURGE" && client.ip !~ purge_ip_allowlist) {
+    set req.http.Fastly-Purge-Requires-Auth = "1";
+  }
+
+  # Check whether the remote IP address is in the list of blocked IPs
+  if (table.lookup(ip_address_denylist, client.ip)) {
+    error 403 "Forbidden";
+  }
+
+  # Force SSL.
+  if (!req.http.Fastly-SSL) {
+     error 801 "Force SSL";
+  }
+
+  ${indent(2, file("${module_path}/../shared/_security_txt_request.vcl"))}
+
+  # Default backend.
+  set req.backend = F_awsorigin;
+  set req.http.Fastly-Backend-Name = "awsorigin";
+
+#FASTLY recv
+
+%{ if disable_service = true }
+            error 503 "Service unavailable";
+%{ endif }
+
+  return(pass);
+}
+
+sub vcl_fetch {
+#FASTLY fetch
+
+  set beresp.http.Fastly-Backend-Name = req.http.Fastly-Backend-Name;
+
+  if ((beresp.status >= 500 && beresp.status <= 599) && req.restarts < 3 && (req.request == "GET" || req.request == "HEAD") && !beresp.http.No-Fallback) {
+    set beresp.saintmode = 5s;
+    return (restart);
+  }
+
+  if (req.restarts == 0) {
+    # Keep stale for origin
+    set beresp.stale_if_error = 24h;
+  }
+
+  if(req.restarts > 0 ) {
+    set beresp.http.Fastly-Restarts = req.restarts;
+  }
+
+  if (beresp.http.Cache-Control ~ "private") {
+    return (pass);
+  }
+
+  if (beresp.http.Cache-Control ~ "max-age=0") {
+    return (pass);
+  }
+
+  if (beresp.http.Cache-Control ~ "no-(store|cache)") {
+    return (pass);
+  }
+
+  if (beresp.status >= 500 && beresp.status <= 599) {
+    set beresp.ttl = 1s;
+    set beresp.stale_if_error = 5s;
+    return (deliver);
+  }
+
+  if (beresp.http.Expires || beresp.http.Surrogate-Control ~ "max-age" || beresp.http.Cache-Control ~"(s-maxage|max-age)") {
+    # keep the ttl here
+  } else {
+    # apply the default ttl
+    set beresp.ttl = ${default_ttl}s;
+    # S3 does not set cache headers by default. Override TTL and add cache-control with 15 minutes
+    if (beresp.http.Fastly-Backend-Name ~ "mirrorS3") {
+      set beresp.ttl = 900s;
+      set beresp.http.Cache-Control = "max-age=900";
+    }
+  }
+
+  # Override default.vcl behaviour of return(pass).
+  if (beresp.http.Set-Cookie) {
+    return (deliver);
+  }
+}
+
+sub vcl_hit {
+#FASTLY hit
+}
+
+sub vcl_miss {
+#FASTLY miss
+}
+
+sub vcl_deliver {
+#FASTLY deliver
+}
+
+sub vcl_error {
+  if (obj.status == 801) {
+    set obj.status = 301;
+    set obj.response = "Moved Permanently";
+    set obj.http.Location = "https://" req.http.host req.url;
+    synthetic {""};
+    return (deliver);
+  }
+
+  ${indent(2, file("${module_path}/../shared/_security_txt_response.vcl"))}
+
+  # Serve stale from error subroutine as recommended in:
+  # https://docs.fastly.com/guides/performance-tuning/serving-stale-content
+  # The use of `req.restarts == 0` condition is to enforce the restriction
+  # of serving stale only when the backend is the origin.
+  if ((req.restarts == 0) && (obj.status >= 500 && obj.status < 600)) {
+    /* deliver stale object if it is available */
+    if (stale.exists) {
+      return(deliver_stale);
+    }
+  }
+
+  # Assume we've hit vcl_error() because the backend is unavailable
+  # for the first two retries. By restarting, vcl_recv() will try
+  # serving from stale before failing over to the mirrors.
+  if (req.restarts < 3) {
+    return (restart);
+  }
+
+  synthetic {"
+    Sorry, this service is unavailable at the moment."};
+
+  return (deliver);
+
+#FASTLY error
+}
+
+sub vcl_pass {
+#FASTLY pass
+}
+
+sub vcl_hash {
+#FASTLY hash
+}