This guide assumes you are using StackPath's WAF without CDN. If you have a packaged plan, both can be used together, this guide explains the setup process for using both the CDN and WAF.
To add a Site, select the Create Site button present on the Sites page.
Enter your domain name and click continue, the automated process will guide you through the next steps.
Once completed, a new Site will be added to the dashboard, and show WAF as an enabled service.
Configure Site Origin Settings
Before any DNS records are adjusted, it is best practice to confirm the proper configuration, to avoid any network errors while trying to pull content through StackPath's systems, please confirm the following information within the Site's Settings tab for this domain before proceeding with the integration:
A more detailed explanation for each of these settings can be found here.
- Origin Address: This should contain the IP address of the origin server.
- Host Header: This field contains the value for the
hostrequest header StackPath will send to the origin server, this should be the primary version of the domain to be used.
If the website has a redirect in place to force WWW connections, the WWW subdomain should be used in this field.
- Origin Pull Protocol: This should match the HTTP version used by the website.
If a redirection is enabled for HTTPS enabled on the origin, please set this option to HTTPS Only.
- Delivery Domains: The Apex domain and WWW subdomain should be added by default, but please add both if they are not present, along with any other subdomains intend to use with StackPath.
If the website uses HTTPS, please ensure an SSL certificate is uploaded or complete the validation process for the free EdgeSSL certificate, provided by StackPath. Free EdgeSSL validation will be completed automatically if your DNS is already migrated to StackPath.
If HTTPS or WWW redirects are being utilized on the origin server these can be enabled within the EdgeRules tab under Sites > Website Domain > EdgeRules
Configure WAF Settings
The WAF settings will be configured next. We will start with whitelisting IP addresses in the Allowed IPs section. Adding these will prevent false positives from occurring when administrators are working on the site.
- Add any administrative users' public IP addresses to the WAF Whitelist in the Firewall tab.
- If a CMS is being used, enable the Protection policy for the applicable CMS and whitelist the Origin IP.
- Allow Known Bots as applicable.
The final step before integration will be to check any security plugins or firewalls enabled at the origin level to ensure the StackPath IP blocks are whitelisted to prevent any issues with StackPath systems connecting to the origin.
Before the StackPath WAF will start protecting your service, DNS must be updated to pass traffic through the WAF. After this step is completed, the StackPath WAF servers will regulate access to your origin and protect your website. To achieve this, point both your apex and relevant non-apex domain at the Edge Address we have provided. Usually, this is the "www" subdomain.
Adjust the record for the WWW subdomain to be a CNAME Record that resolves to the Edge Address provided. The WWW subdomain would look similar to this when using the StackPath DNS.
It is also recommended to point the apex domain to the anycast IP of the Edge Address in order to protect the real server IP from being discovered.
This step should be completed with an ANAME record or through Domain Shortening if offered by your DNS provider, as StackPath's anycast IP is subject to change at any time.
If you encounter any issues or need assistance, please contact our 24/7 support through chat or email at firstname.lastname@example.org.
Important Next Steps
Add any API URLs into the WAF interface to ensure we protect them properly.
Create custom rules to enable powerful, customizable traffic monitors.