Pantheon Global CDN

Improve Site Performance and Security with Pantheon's Global CDN.

Discuss in our Forum Discuss in Slack

Pantheon's Global CDN is a core platform offering that provides improved performance and security for customer sites. Tap into powerful and strategically distributed Points of Presence (POPs) around the globe, where site pages and assets are cached, and HTTPS certificates are fully managed using Let's Encrypt.

Agency WebOps Training

Get the most out of Global CDN with help from the experts at Pantheon. We deliver on-demand training to help development teams master the platform and improve internal WebOps.

Benefits of Pantheon's Global CDN

Global CDN is SOC 2 compliant and offers protection against DDoS attacks that target network layers (layer 3/4) or application layers (layer 7). DDoS attacks vary in method, but all have the same goal of interfering with content on your site.

Pantheon's Global CDN also uses origin shields for additional protection. Origin shields protect sites from traffic overloads while maintaining high availability and redundancy in your setup. Origin shields also help reduce the risk of DDoS attacks.

Refer to DoS Attack Mitigation for more information.

How Does It Work?

Global CDN takes Pantheon's high-performance page and asset caching system (Varnish) and pushes it out globally. Rather than requests coming all the way to our primary data center, we terminate HTTPS and serve pages from a location much closer to the end-user. This speeds up the time to render a web-page significantly.

  • The Global CDN cache strategy eliminates "cache sharding," in which the same content needs to be cached in separate edge cache instances. This results in higher cache hit rates.

  • Global CDN includes interfaces to dynamically expire selected content from the cache, rather than doing a full cache flush. There are basic implementations available as Drupal modules and WordPress plugins, as well as a developer API for implementing custom cache tagging/clearing behavior.

When we first turned on the Global CDN, we saw multi-second speedups in Visual Progress even within the continental US. International users will benefit even more:

Example before and after page load time

Cache Clearing

We recommend installing the Pantheon Advanced Page Cache plugin or module to take advantage of the granular cache clearing capabilities of the Global CDN. Additionally, you can remove all pages from cache at once from the Site Dashboard, within the Site Admin, and even from the command line.

For more details, see Clearing Caches for Drupal and WordPress.

Experience Protection

Serve your Drupal or WordPress site even in the unlikely event that it goes down.

The goal of Experience Protection is to provide a seamless, uninterrupted experience for the user. If the server is not responding and can't serve a new copy of a page, the CDN will choose to serve a cached version instead of displaying an error, even if the cached version has expired (this is called stale cache).

How long does content stay fresh? Adjust TTL

Adjust the length of time before the site's cached content is considered stale by adjusting the time-to-live (TTL).

Your site’s CMS page-level caching must be correctly configured in order to take advantage of Experience Protection.

On Drupal and WordPress, you can adjust your CDN edge configuration to serve stale content for a specific amount of time.

For best results, set the cache TTL to a value equal to or over 3700 seconds.

Users with session-style cookies set, or a NO_CACHE cookie set will bypass the cache, and will not see cached content. For best results, set the NO_CACHE cookie to persist longer than the site’s page cache (this includes logged in users and authenticated traffic). Learn more about the exceptions to page caching rules in Caching: Advanced Topics.

Confirm That Experience Protection Works

To test how stale cache is served, compare the header results of a page refresh when the site's Dev environment is live to the header results when Dev is in Maintenance Mode:

  1. Examine the headers through the command line:

    curl --head
    HTTP/2 301
    content-type: text/html
    server: nginx
    strict-transport-security: max-age=31622400
    x-pantheon-styx-hostname: styx-fe2-a-5d96768699-vcdvh
    x-styx-req-id: b7b8d4d2-04d9-11ec-a467-9a05fab906d1
    cache-control: public, max-age=86400
    date: Tue, 24 Aug 2021 15:30:21 GMT
    x-served-by: cache-mdw17379-MDW, cache-ewr18124-EWR
    x-cache: HIT, HIT
    x-cache-hits: 1, 1
    x-timer: S1629819022.932985,VS0,VE1
    pantheon-trace-id: be58e6a03a904fbfa64515ee136ffd34
    vary: Cookie, Cookie
    age: 9654
    accept-ranges: bytes
    via: 1.1 varnish, 1.1 varnish
    content-length: 162

    Note the result for age or max-age.

  2. Navigate to the site's Dev environment and set the site to Maintenance Mode.

  3. Clear the cache from either the Advanced Page Cache module or from the Dashboard.

  4. In a terminal, cURL the site headers filtered for stale cache:

    curl --head | grep PContext-Resp-Is-Stale

    If the response headers include PContext-Resp-Is-Stale, the page has been successfully served from stale cache.

  1. Navigate to the page using Firefox or Chrome, and in the browser's developer tools open the Network tab.

    Find the response headers for the page or asset.

  2. Go to the site's Dev environment and set the site to Maintenance Mode.

  3. Clear the cache from either the Advanced Page Cache module or from the Dashboard.

  4. Go back to the page and Developer Tools, then refresh the page for the newest header responses.

    If the result includes PContext-Resp-Is-Stale, the page has been successfully served from stale cache.

Once you know what your site's cache currently looks like, you can check your NGINX or Fastly logs for any traffic anomalies or overages.

NGINX logs track all requests made to WordPress or Drupal, but do not include any requests that were served from the edge cache. You can use GoAccess to produce a compiled report on the most common requests, such as: 404s, user agents, etc.

Fastly log extracts can be requested from your Customer Success Engineer. Standard analytics includes all pages requested, but will not include service calls and other traffic that does not load the tracking script.

In your log report, you want to look for:

  • Disproportionate patterns of requests and 404s indicate possible exploits.
  • Too many requests to the index paths may indicate a volumetric attack against the domain.
  • Heavy requests to administrative and login paths may indicate a generalized CMS exploit attempt.
  • Known exploit and excess traffic paths.

Please refer to the following docs for common caching issues:

Frequently Asked Questions

I already have a CDN. Can I use it with the Pantheon Global CDN?

Yes, but because it adds additional complexity, we suggest you only do so if you identify a need that the Pantheon Global CDN doesn't address.

To retain your existing CDN, set up a "stacked CDN" configuration. Ensure that you are enforcing HTTPS only at the outer CDN and are assuming HTTPS in the application. Check your CDN for how to redirect all traffic to HTTPS.

While we have some limited documentation for this setup with Cloudflare, this is a largely self-serve practice.

If you need additional features or customization for your CDN, consider our Advanced Global CDN service.

Is the www-redirector service still available?

No, the www-redirector service is part of the legacy infrastructure. You can choose your primary domain and redirect all traffic to HTTPS by adding 301 redirects to your site's configuration file (wp-config.php or settings.php).

Are vanity domains supported?

You can upgrade a site to Global CDN that is using vanity domains, but HTTPS will not be provisioned for the vanity domains. Only custom domains will have HTTPS provisioned.

What about Cloudflare?

See Cloudflare Domain Configuration.

Is the CDN configurable?

No, we pre-configured the CDN so you don’t have to hassle with configuration, and we can guarantee performance and uptime. The Global CDN's behavior is the same as our legacy cache which is heavily optimized for Drupal and WordPress sites, and serves billions of pages monthly, except it's globally distributed.

Do I get access to hit rates or other statistics?

Hit rates are not currently available, but you can measure traffic for the Live environment. For details, see Metrics in the Site Dashboard.

Can I use my own Fastly account with the Pantheon Global CDN?

You can, but as mentioned above you should identify a need for adding additional complexity first. If you're using Fastly TLS services with WordPress, you'll want to check for the HTTP_FASTLY_SSL header so that WordPress can build URLs to your CSS and JS assets correctly. Do this by adding the following to wp-config.php:

if (!empty( $_SERVER['HTTP_FASTLY_SSL'])) {
  $_SERVER['HTTPS'] = 'on';

Can I expose the Surrogate-Key-Raw header?

Yes! Expose Surrogate-Key-Raw by including Pantheon-Debug:1 in a curl request, then use grep to filter the output. Replace in the following example:

curl -IsH "Pantheon-Debug:1" | grep surrogate-key-raw

curl -IsH "Pantheon-Debug:1" | grep surrogate-key-raw

To prevent issues with Twitter card validation and to reduce the overall time to load, the Surrogate-Key-Raw header is not returned by default. Exposing this header provides context for entities included on a given page.

Advanced Global CDN

For custom solutions addressing the unique challenges your site build presents, see our Advanced Global CDN service.