Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Load static assets from S3 directly #86

Merged
merged 1 commit into from
Jul 16, 2024
Merged

Load static assets from S3 directly #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions modules/www/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ locals {
ssl_ciphers = "ECDHE-RSA-AES256-GCM-SHA384"
basic_authentication = null

s3_static_assets_port = 443
s3_static_assets_hostname = null

# these values are needed even if mirrors aren't enabled in an environment
s3_mirror_hostname = null
s3_mirror_prefix = null
Expand Down
47 changes: 47 additions & 0 deletions modules/www/www.vcl.tftpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,32 @@ backend F_origin {
%{ endif ~}
}

backend F_staticAssetsS3 {
.connect_timeout = 1s;
.dynamic = true;
.port = "${s3_static_assets_port}";
.host = "${s3_static_assets_hostname}";
.first_byte_timeout = 15s;
.max_connections = 200;
.between_bytes_timeout = 10s;

.ssl = true;
.ssl_check_cert = always;
.min_tls_version = "${minimum_tls_version}";
.ssl_ciphers = "${ssl_ciphers}";
.ssl_cert_hostname = "${s3_static_assets_hostname}";
.ssl_sni_hostname = "${s3_static_assets_hostname}";

.probe = {
.dummy = ${probe_dns_only};
.threshold = 1;
.window = 2;
.timeout = 5s;
.initial = 1;
.interval = ${probe_interval};
}
}

%{ if contains(["staging", "production"], environment) ~}
# Mirror backend for S3
backend F_mirrorS3 {
Expand Down Expand Up @@ -342,6 +368,12 @@ sub vcl_recv {
unset req.http.Cookie;
}

if (req.url.path ~ "^\/assets(\/.*)?\z") {
set req.backend = F_staticAssetsS3;
set req.http.host = "${s3_static_assets_hostname}";
set req.http.Fastly-Backend-Name = "staticAssetsS3";
}

return(lookup);
}

Expand Down Expand Up @@ -433,7 +465,22 @@ sub vcl_fetch {
set beresp.ttl = 900s;
set beresp.http.Cache-Control = "max-age=900";
}

# Static Assets S3 bucket do not set cache headers by default. Override TTL and add cache-control to 31536000s.
# Strip out common S3 headers
if (beresp.http.Fastly-Backend-Name ~ "^staticAssetsS3$") {
set beresp.ttl = 31536000s;
set beresp.http.Cache-Control = "max-age=31536000, public, immutable";
set beresp.http.Access-Control-Allow-Origin = "*";

unset beresp.http.x-amz-id-2;
unset beresp.http.x-amz-meta-server-side-encryption;
unset beresp.http.x-amz-request-id;
unset beresp.http.x-amz-version-id;
unset beresp.http.x-amz-server-side-encryption;
}
}

# Strip cookies from outbound requests. Corresponding rule in vcl_recv{}
if (req.url !~ "^/(apply-for-a-licence|email|sign-in/callback)") {
unset beresp.http.Set-Cookie;
Expand Down
Loading