# Wallarm Connector for Fastly [Fastly](https://www.fastly.com/) is a powerful edge cloud platform providing Content Delivery Network (CDN) services, real-time application delivery, caching, and Compute@Edge for running custom logic at the edge. With the Wallarm connector, you can secure APIs running on Fastly. To use Wallarm as a Fastly connector, you need to **deploy the Wallarm Node externally** and **run a Fastly Compute service using the Wallarm-provided binaries** to route traffic to the Wallarm Node for analysis. The Fastly connector supports both [in-line](https://docs.wallarm.com/installation/inline/overview.md) and [out-of-band](https://docs.wallarm.com/installation/oob/overview.md) traffic flows. ## Use cases This solution is recommended in case when you deliver traffic through Fastly. ## Limitations * When deploying the Wallarm service with the `LoadBalancer` type using the [Helm chart](https://docs.wallarm.com/installation/native-node/helm-chart.md), a **trusted** SSL/TLS certificate is required for the Node instance domain. Self-signed certificates are not yet supported. * [Rate limiting](https://docs.wallarm.com/user-guides/rules/rate-limiting.md) by the Wallarm rule is not supported. * [Multitenancy](https://docs.wallarm.com/installation/multi-tenant/overview.md) is not supported on Security Edge hosting, but it is supported for self-hosted nodes deployed with the connector. ## Requirements To proceed with the deployment, ensure that the following requirements are met: * Understanding of Fastly technologies. * APIs or traffic running through Fastly. * [Fastly CLI installed](https://www.fastly.com/documentation/reference/tools/cli/#installing). ## Deployment ### 1. Deploy a Wallarm Node The Wallarm Node is a core component of the Wallarm platform that you need to deploy. It inspects incoming traffic, detects malicious activities, and can be configured to mitigate threats. You can deploy it either hosted by Wallarm or in your own infrastructure, depending on the level of control you require. **Edge node:** To deploy a Wallarm-hosted node for the connector, follow the [instructions](https://docs.wallarm.com/installation/security-edge/se-connector.md). **Self-hosted node:** Choose an artifact for a self-hosted node deployment and follow the attached instructions: * [All-in-one installer](https://docs.wallarm.com/installation/native-node/all-in-one.md) for Linux infrastructures on bare metal or VMs * [Docker image](https://docs.wallarm.com/installation/native-node/docker-image.md) for environments that use containerized deployments * [AWS AMI](https://docs.wallarm.com/installation/native-node/aws-ami.md) for AWS infrastructures * [Helm chart](https://docs.wallarm.com/installation/native-node/helm-chart.md) for infrastructures utilizing Kubernetes ### 2. Deploy Wallarm code on Fastly To route traffic from Fastly to the Wallarm Node, you need to deploy a Fastly Compute service with the corresponding Wallarm logic: 1. Proceed to Wallarm Console → **Security Edge** → **Connectors** → **Download code bundle** and download the Wallarm package. If running a self-hosted node, contact sales@wallarm.com to get the package. 1. Go to **Fastly** UI → **Account** → **API tokens** → **Personal tokens** → **Create token**: * Type: Automation token * Scope: Global API access * Leave other settings at their default unless specific changes are required ![](https://docs.wallarm.com/images/waf-installation/gateways/fastly/generate-token.png) 1. Go to **Fastly** UI → **Compute** → **Compute services** → **Create service** → **Use a local project** and create an instance for Wallarm. Once created, copy the generated `--service-id`: ![](https://docs.wallarm.com/images/waf-installation/gateways/fastly/create-compute-service.png) 1. Go to the local directory containing the Wallarm package and deploy it: ``` fastly compute deploy --service-id= --package=wallarm-api-security.tar.gz --token= ``` The success message: ``` SUCCESS: Deployed package (service service_id, version 1) ``` ??? warning "Error reading fastly.toml" If you get the following error: ``` ✗ Verifying fastly.toml ERROR: error reading fastly.toml. ``` Ensure you are using the provided `fastly compute deploy` instead of `fastly compute publish`. ### 3. Specify Wallarm Node's and backend's hosts For proper traffic routing for analysis and forwarding, you need to define the Wallarm Node and backend hosts in the Fastly service configuration: 1. Go to **Fastly** UI → **Compute** → **Compute services** → Wallarm service → **Edit configuration**. 1. Go to **Origins** and **Create hosts**: * Add the Wallarm node URL as the `wallarm-node` host to route traffic to the Wallarm node for analysis. * Add your backend address as another host (e.g., `backend`) to forward traffic from the node to your origin backend. ![](https://docs.wallarm.com/images/waf-installation/gateways/fastly/hosts.png) 1. **Activate** the new service version. ### 4. Create the Wallarm config store Create the `wallarm_config` config defining Wallarm-specific settings: 1. Go to **Fastly** UI → **Resources** → **Config stores** → **Create a config store** and create the `wallarm_config` store with the following key-value items: | Parameter | Description | Required? | | --------- | ----------- | --------- | | `WALLARM_BACKEND` | Host name for the Wallarm Node instance specified in Compute service settings. | Yes | | `ORIGIN_BACKEND` | Host name for the backend specified in Compute service settings. | Yes | | `WALLARM_MODE_ASYNC` | Enables traffic [copy](https://docs.wallarm.com/installation/oob/overview.md) analysis without affecting the original flow (`true`) or inline analysis (`false`, default). | No | [More parameters](https://docs.wallarm.com/installation/connectors/fastly.md#configuration-options) 1. **Link** the config store to the Wallarm Compute service. ![](https://docs.wallarm.com/images/waf-installation/gateways/fastly/config-store.png) !!! info "Config stores for multiple services" If you run multiple Compute services for Wallarm, you can do one of the following: * Create multiple config stores with different configurations and link each of them to corresponding service. * Share the same config store (for example, `wallarm_config`) across multiple services. Note that while all services must use the same origin backend name, the actual backend value can be customized in each service's settings. ### 5. (Optional) Set up a custom blocking page When the Wallarm Node operates in inline mode and [blocks](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md) attacks, it responds to malicious requests with HTTP 403 status codes. To customize the response, you can configure a custom HTML blocking page using a KV store in Fastly: 1. Go to **Fastly** UI → **Resources** → **KV stores** → **Create a KV store** and create a store named `wallarm`. 1. Add a key named `block_page.html` and upload your custom HTML blocking page. This page will be returned to blocked requests. 1. **Link** the KV store to the Wallarm Compute service. ![](https://docs.wallarm.com/images/waf-installation/gateways/fastly/custom-block-page.png) ??? info "Show Wallarm template for a custom blocking page" As a starting point, you can use the following Wallarm-provided template for a custom blocking page. Adjust it as needed to include the information you want to display to users and to match your desired design: ```html You are blocked
Malicious activity blocked
Your request is blocked since it was identified as a malicious one.
Why it happened
You might have used symbols similar to a malicious code sequence, or uploaded a specific file.
What to do
If your request is considered to be legitimate, please contact us and provide your last action description and the following data:
IP ${remote_addr}
Blocked on ${time_iso8601}
UUID ${request_id}
``` ## Testing To test the functionality of the deployed solution, follow these steps: 1. Send the request with the test [Path Traversal](https://docs.wallarm.com/attacks-vulns-list.md#path-traversal) attack to the Wallarm Compute service domain: ``` curl http:///etc/passwd ``` 1. Open Wallarm Console → **Attacks** section in the [US Cloud](https://us1.my.wallarm.com/attacks) or [EU Cloud](https://my.wallarm.com/attacks), or [ME Cloud](https://me1.my.wallarm.com/attacks) and make sure the attack is displayed in the list. ![Attacks in the interface](https://docs.wallarm.com/images/admin-guides/test-attacks-quickstart.png) If the Wallarm Node mode is set to [blocking](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md) and the traffic flows in-line, the request will also be blocked. ## Configuration options In the Wallarm config store, you can specify the following key-value items: | Parameter | Description | Required? | | --------- | ----------- | --------- | | `WALLARM_BACKEND` | Host name for the Wallarm Node instance specified in Compute service settings. | Yes | | `ORIGIN_BACKEND` | Host name for the backend specified in Compute service settings. | Yes | | `WALLARM_MODE_ASYNC` | Enables traffic [copy](https://docs.wallarm.com/installation/oob/overview.md) analysis without affecting the original flow (`true`) or inline analysis (`false`, default). | No | | `WALLARM_DEBUG` | Writes debug information to tailing logs (`true`) or disables it (`false`, default). | No | | `WALLARM_RESPONSE_BODY_SIZE_LIMIT` | Limit for a response body size the Node can parse and analyze (in bytes). Non-numerical values like `none` (default) mean no limit. | No | | `ORIGIN_PASS_CACHE` | Forces pass-through behavior for requests sent to the origin backend, bypassing Fastly's caching layer (`true`). By default, the Fastly's caching layer is used (`false`). | No | | `ORIGIN_PRESERVE_HOST` | Retains the original `Host` header from the client request instead of replacing it with the origin backend's hostname via the `X-Forwarded-Host` header. Useful for backends relying on the original `Host` for routing or logging. Default: `false`. | No | | `LOGGING_ENDPOINT` | Sets a [logging endpoint](https://www.fastly.com/documentation/guides/integrations/logging/) for the connector. Default: tailing logs (stderr). | No | ## Upgrading the Wallarm Compute service on Fastly To upgrade the deployed Fastly Compute service to a [newer version](https://docs.wallarm.com/installation/connectors/code-bundle-inventory.md#fastly): 1. Proceed to Wallarm Console → **Security Edge** → **Connectors** → **Download code bundle** and download the updated code bundle. If running a self-hosted node, contact sales@wallarm.com to get the updated code bundle. 1. Go to the directory containing the updated `wallarm-api-security.tar.gz` Wallarm package archive and run: ``` fastly compute deploy --service-id= --package=wallarm-api-security.tar.gz --token= ``` * `` with the ID of your deployed Wallarm service. * `` with the Fastly API token used for deployment. 1. **Activate** the new service version in the Fastly UI. Compute service upgrades may require a Wallarm Node upgrade, especially for major version updates. See the [Native Node changelog](https://docs.wallarm.com/updating-migrating/native-node/node-artifact-versions.md) for the self-hosted Node release notes and upgrade instructions or the [Edge connector upgrade procedure](https://docs.wallarm.com/installation/security-edge/se-connector.md#upgrading-the-edge-node). Regular node updates are recommended to avoid deprecation and simplify future upgrades.