The StackPath CDN and WAF make a powerful combination for fast, reliable content delivery that provides protection from application threats. This article is a walkthrough for configuring these two services and assumes A StackPath account is created and a Stack combination has been selected that includes CDN and WAF services.
There are two options for integrating the StackPath's CDN. This article, utilizes a Full Site delivery method which is achieved through modifying DNS records and is required for use of the StackPath WAF.
About this Integration
The integration process will work with any subdomains for the primary domain but has been written with the common WWW subdomain in mind primarily. If a separate custom subdomain (blog or info) is desired, simply replace any instance of WWW with the custom subdomain.
This integration will involve adjusting DNS records for full site acceleration and protection, the StackPath DNS is recommended, but this is not a required service for this integration.
Add the Domain
Sites can be created with CDN and WAF enabled simultaneously by choosing the Create Site button:
If a standalone Site is already setup, you can simply enable CDN or WAF from the Overview Tab for that Site.
- Log into the StackPath Control Portal
- Navigate to the Stack Overview page, and select Create Site
- Enter the domain name for the integration
- Select the CDN and WAF checkboxes (along with any other services desired)
- Select Continue
- Confirm the Origin server data is correct and select Continue again
- This will generate the Site for the domain entered in Step 2 along with an Edge Address for the Site.
Configure Site Origin Settings
Before any DNS records are adjusted, it is best practice to confirm the proper configuration, to avoid any website downtime after the DNS records are adjusted.
To avoid any network errors while trying to reach the website through StackPath's systems, please confirm the following information within the Site settings for this domain before proceeding with the integration:
- Origin Address: This should contain the IP address of the origin server.
- Host Header: This field contains the value for the
hostrequest header StackPath will send to the origin server, this should be the primary version of the domain to be used.
If the website has a redirect in place to force WWW connections, the WWW subdomain should be used in this field.
- Origin Pull Protocol: This should match the HTTP version used by the website.
If redirection is enabled for HTTPS enabled on the origin, please set this option to HTTPS Only.
- Delivery Domains: The Apex domain and WWW subdomain should be added by default, but please add both if they are not present, along with any other subdomains intend to use with StackPath.
If the website uses HTTPS, please ensure an SSL certificate is uploaded or complete the validation process for the free EdgeSSL certificate, provided by StackPath. Free EdgeSSL validation will be completed automatically if DNS is already migrated to StackPath.
If HTTPS or WWW redirects are being utilized on the origin server these can be enabled within the EdgeRules tab under Sites > Website Domain > EdgeRules
Configure WAF Settings
The WAF settings will be configured next. We will start with whitelisting IP addresses in the Allowed IPs section. Adding these will prevent false positives from occurring when administrators are working on the site.
- Add any administrative users' public IP addresses to the WAF Whitelist in the Firewall tab.
- if a CMS is being used, enable the Protection policy for the applicable CMS and whitelist the Origin IP.
- Allow Known Bots as applicable.
The final step before integration will be to check any security plugins or firewalls enabled at the origin level to ensure the StackPath IP blocks are whitelisted to prevent any issues with StackPath systems connecting to the origin.
Adjusting DNS Records - Go Live
With all of the preparation complete, the final step is to adjust DNS records to resolve the domain(s) to StackPath. This can be done via StackPath DNS (if the nameservers were already migrated); or via the current DNS provider, if not using StackPath DNS. This process will vary based on the DNS provider.
Adjust the record for the WWW subdomain to be a CNAME Record that resolves to the Edge Address provided. The WWW subdomain would look similar to this when using the StackPath DNS.
It is also recommended to point the apex domain to the anycast IP of the Edge Address in order to protect the real server IP from being discovered.
This step should be completed with an ANAME record or through Domain Shortening if offered by your DNS provider.
Verify the CDN is Integrated Properly
Once DNS propagation is completed, this integration can be verified with a specific DIG request for the records that were created previously. This article provides instructions for integration verification.
Test Speed and SEO Post Integration
Compare the before and after tests and note that it can take one to seven days for a website to reflect the performance improvements of a CDN. Both of these test sites also will give SEO recommendations.