Blocking harmful traffic for Adobe Commerce on the cloud using Fastly.

Magento security software
Blocking harmful traffic for Adobe Commerce on the cloud using Fastly

Cloud-based Adobe Commerce instances can benefit from using Fastly CDN when the store is under a DDoS attack or is overloaded with bots and crawlers. Most of it can be configured on the Fastly configuration page (Stores → Configuration → Advanced → System → Full Page Cache → Fastly Configuration). Today we’ll tell you about several configurations that can help you resolve such issues.

Configuration allows you to set up blocking access by different parameters, such as:

  • blocking by country. Access to your store can be either blocklisted (restricting connections from selected countries) or allowlisted (providing access to the store from the selected countries only).
  • blocking by IP. You can create an access control list containing IPs that should be blocked in CIDR notation.
  • blocking by the user agent. This requires the creation of a custom VCL snippet. For example, the Magento knowledge base provides the following code sample to block traffic created by user agents containing AhrefsBot and SemrushBot:
name: block_bad_useragents
  type: recv
  priority: 5
  if ( req.http.User-Agent ~ "(AhrefsBot|SemrushBot)" ) {
      error 405 "Not allowed";

In addition, Fastly has some experimental functionality, such as rate-limiting. It allows setting the desired rate limit for paths and crawlers. Still, it might also cause interruptions for real customers, so it must be tested in the staging environment beforehand. The detailed information on how to set up rate limiting is available on GitHub.