The StackPath CDN and WAF make a powerful combination for fast, reliable content delivery that provides protection from application threats. This article is a walkthrough for configuring these two services and assumes A StackPath account is created and a Stack combination has been selected that includes CDN and WAF services.
There are two options for integrating the StackPath's CDN. This article, utilizes a Full Site CDN delivery method which is achieved through modifying DNS records and is required for use of the StackPath WAF.
About this Integration
The integration process will work with any subdomains for the primary domain but has been written with the common WWW subdomain in mind primarily. If a separate custom subdomain (blog or info) is desired, simply replace any instance of WWW with the custom subdomain.
This integration will involve adjusting DNS records for full site acceleration and protection, the StackPath DNS is recommended, but this is not a required service for this integration.
Add the Domain
CDN and WAF sites can be created for one domain simultaneously by choosing the Add Domain button:
If a standalone CDN site is already setup, only a WAF site will need to be created under this step. Please use the same domain, and the CNAME URL and origin settings will be identical..
- Log into the StackPath Control Portal
- Navigate to the Stack Overview page, and select Add Domain
- Enter the domain name for the integration
- Select the CDN and WAF checkboxes (along with any other services desired)
- Select whether StackPath will generate a free EdgeSSL certificate (for this tutorial one is not being used)
- Select Continue
- Confirm the Origin server data is correct and select Continue again
- This will generate the CDN and WAF sites for the domain entered in Step 2. Both sites will have the same CNAME URL, along with the identical origin information. Here we can see the CNAME being shown on the WAF tab.
Configure CDN Site Settings
Before any DNS records are adjusted, it is best practice to confirm the proper configuration, to avoid any website downtime after the DNS records are adjusted.
To avoid any network errors while trying to reach the website through StackPath's systems, please confirm the following information within the CDN site settings for this domain before proceeding with the integration:
- Origin Address: This should contain the IP address of the origin server.
- Host Header: This field contains the value for the
hostrequest header StackPath will send to the origin server, this should be the primary version of the domain to be used.
If the website has a redirect in place to force WWW connections, the WWW subdomain should be used in this field.
- Origin Pull Protocol: This should match the HTTP version used by the website.
If redirection is enabled for HTTPS enabled on the origin, please set this option to HTTPS Only.
- Delivery Domains: The Apex domain and WWW subdomain should be added by default, but please add both if they are not present, along with any other subdomains intend to use with StackPath.
If the website uses HTTPS, please ensure an SSL certificate is uploaded or complete the validation process for the free EdgeSSL certificate, provided by StackPath. Free EdgeSSL validation will be completed automatically if DNS is already migrated to StackPath.
If HTTPS or WWW redirects are being utilized on the origin server these can be enabled within the EdgeRules tab under the CDN site settings.
Configure WAF Settings
The WAF settings will be configured next. We will start with whitelisting Ip addresses. Adding these will prevent false positives from occurring when administrators are working on the site.
- Add any administrative users' public IP addresses to the WAF Whitelist in the Firewall tab.
- if a CMS is being used, enable the Protection policy for the applicable CMS and whitelist the Origin IP.
- Allow Known Bots as applicable.
The final step before integration will be to check any security plugins or firewalls enabled at the origin level to ensure the StackPath IP blocks are whitelisted to prevent any issues with StackPath systems connecting to the origin.
Adjusting DNS Records - Go Live
With all of the preparation complete, the final step is to adjust DNS records to resolve the domain(s) to StackPath. This can be done via StackPath DNS (if the nameservers were already migrated); or via the current DNS provider, if not using StackPath DNS. This process will vary based on the DNS provider.
Adjust the record for the WWW subdomain to be a CNAME Record that resolves to the CNAME URL provided under the CDN or WAF site configuration. The WWW subdomain would look similar to this when using the StackPath DNS.
It is also recommended to point the apex domain to the anycast IP of the CDN URL in order to protect the real server IP from being discovered.
This step can also be completed with an ANAME record or through Domain Shortening if offered by your DNS provider.
Verify the CDN is Integrated Properly
Once DNS propagation is completed, this integration can be verified with a specific DIG request for the records that were created previously. This article provides instructions for integration verification.
Test Speed and SEO Post Integration
Compare the before and after tests and note that it can take one to seven days for a website to reflect the performance improvements of a CDN. Both of these test sites also will give SEO recommendations.