allow acme-challenges through to backends

ewdurbin · ewdurbin · commit 72335283156f · 2026-03-08T12:27:52.000-04:00
diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf
@@ -124,6 +124,12 @@ resource "fastly_service_vcl" "python_org" {
     statement = "req.url ~ \"^/(api|admin)/\""
     type      = "REQUEST"
   }
+  condition {
+    name      = "Let's Encrypt"
+    priority  = 10
+    statement = "req.url ~ \"^/.well-known/acme-challenge/\""
+    type      = "REQUEST"
+  }
   condition {
     name      = "apex redirect"
     priority  = 10
@@ -133,7 +139,7 @@ resource "fastly_service_vcl" "python_org" {
   condition {
     name      = "apex"
     priority  = 1
-    statement = "req.http.host == \"python.org\""
+    statement = "req.http.host == \"python.org\" && req.url !~ \"^/.well-known/acme-challenge/\""
     type      = "REQUEST"
   }
   condition {
@@ -350,6 +356,15 @@ resource "fastly_service_vcl" "python_org" {
     request_condition = "Uncacheable URLs"
     xff               = "append"
   }
+  request_setting {
+    action            = "pass"
+    bypass_busy_wait  = false
+    force_ssl         = false
+    max_stale_age     = 0
+    name              = "Let's Encrypt"
+    request_condition = "Let's Encrypt"
+    xff               = "append"
+  }
 
   response_object {
     name              = "www redirect"
