Centinel AnalyticaCentinel Analytica
PlatformsCDN / Edge

Fastly VCL

Deploy Centinel Analytica on your Fastly VCL service via Terraform or the Fastly Web UI.

Overview

Seven VCL snippets and a Terraform module add an edge-side validation step against the Centinel /validate API. Requests are checked, blocked, redirected, or forwarded to your origin based on the validator's decision. Fail-open by default. Takes 2-3 minutes to roll out across Fastly's edge.

Prerequisites

  • Centinel API key (for validator authentication)
  • Fastly account with API token (Account → Personal API Tokens, full-service access)
  • A configured origin backend
  • Terraform 1.0+ (recommended) or access to the Fastly Web UI

Install

Download centinel-fastly.zip and extract. Both install paths run from inside the resulting snippets/ directory.

Terraform deployment

Step 1 — Install prerequisites

# macOS
brew install terraform

terraform --version    # >= 1.0

Step 2 — Set up authentication

export FASTLY_API_KEY="your-fastly-api-token"

Create an API token in your Fastly dashboard under Account → Personal API Tokens. The token needs full-service access.

Step 3 — Configure variables

In the snippets/ directory from the downloaded zip, create terraform.tfvars:

centinel_api_key = "your-centinel-api-key"
domain_name      = "www.example.com"
origin_address   = "origin.example.com"
service_name     = "Centinel Production"

# Optional:
# origin_port              = 443
# origin_use_ssl           = true
# debug                    = false

Step 4 — Initialize and deploy

Run from inside the snippets/ directory (where main.tf and your terraform.tfvars live):

cd snippets
terraform init
terraform plan
terraform apply

This creates:

  • A Fastly service with your domain
  • An origin backend pointing at origin_address
  • A centinel backend pointing at validator.centinelanalytica.com
  • An Edge Dictionary named centinel_config holding the API key and debug flag.
  • 7 VCL snippets at priority 50 (init, recv, pass, miss, fetch, deliver, error)

All resources are deployed in a single terraform apply pass.

Manual installation via Fastly Web UI

Step 1 — Prepare your service

  1. Log into your Fastly dashboard.
  2. Select your service or create a new one.
  3. Click Clone version to create an editable draft (you can't edit active versions).

Step 2 — Create the origin backend

In Origins → Hosts, add your origin backend (name it origin).

Step 3 — Create the centinel backend

In Origins → Hosts, add a second backend:

  • Name: centinel
  • Address: validator.centinelanalytica.com
  • Port: 443
  • Use SSL: yes
  • SSL hostname: validator.centinelanalytica.com
  • SSL SNI hostname: validator.centinelanalytica.com
  • Override host: validator.centinelanalytica.com
  • Connect timeout: 3000 ms
  • First byte timeout: 5000 ms
  • Between bytes timeout: 2000 ms

Step 4 — Create the Edge Dictionary

In Edge Dictionaries → Create:

  • Name: centinel_config
  • Add items:
    • secret_key<your-centinel-api-key>
    • debugfalse
  • Save.

Step 5 — Upload the seven VCL snippets

In VCL Snippets → Create snippet, repeat for each file in the snippets/ directory from the downloaded zip:

FileSnippet typeNamePriority
init.vclinitcentinel_init50
recv.vclrecvcentinel_recv50
pass.vclpasscentinel_pass50
miss.vclmisscentinel_miss50
fetch.vclfetchcentinel_fetch50
deliver.vcldelivercentinel_deliver50
error.vclerrorcentinel_error50

Paste each file's contents verbatim.

Step 6 — Activate the service

  1. Review all snippets and backends.
  2. Click Activate on the new version.
  3. Wait 2-3 minutes for the new VCL to propagate globally.

The service is now active and protecting your origin.

Configure

Terraform variables

VariableTypeRequiredDefaultDescription
centinel_api_keystringyesCentinel validator API key. Stored in the dictionary; required for validation.
domain_namestringyesYour service domain (e.g. www.example.com).
origin_addressstringyesOrigin backend address.
service_namestringnocentinel_protected_serviceFastly service name.
origin_portnumberno443Origin port.
origin_use_sslboolnotrueUse TLS to origin.
debugboolnofalseEcho x-centinel-* debug headers on the client response.

Edge Dictionary items (centinel_config)

KeyRequiredDescription
secret_keyyesCentinel validator API key.
debugno"true" or "false" (string). When "true", debug headers leak to client responses.

Verify

terraform output service_id
terraform output service_domain

# Hit your domain
curl -i https://www.example.com/
curl -i https://www.example.com/

Expect: 200 OK, Set-Cookie: _centinel=...; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=86400, and Server-Timing: validator;dur=<ms>.

Cloudflare Workers (npm)

Add Centinel bot detection to an existing Cloudflare Worker using the npm package.

Fastly Compute (Rust)

Add Centinel Analytica bot protection to your Fastly Compute service using the Rust SDK.

On this page

OverviewPrerequisitesInstallTerraform deploymentStep 1 — Install prerequisitesStep 2 — Set up authenticationStep 3 — Configure variablesStep 4 — Initialize and deployManual installation via Fastly Web UIStep 1 — Prepare your serviceStep 2 — Create the origin backendStep 3 — Create the centinel backendStep 4 — Create the Edge DictionaryStep 5 — Upload the seven VCL snippetsStep 6 — Activate the serviceConfigureTerraform variablesEdge Dictionary items (centinel_config)Verify