This article describes the steps required to install the Premium Cloudflare Web Application Firewall (WAF) for your website's domain.

 

Before you get started, you should know who your domain registrar and DNS host are, and have access to your account(s) with both providers. Read through the instructions before making changes to make sure you have the necessary information & access to complete each step.

 

 

Step 1: Account Setup

 

CNAME

By onboarding to Mosaic Ecommerce with CNAME, you can keep your current nameserver settings. The domain/subdomain associated with your website will have a new CNAME record which routes traffic first through Cloudflare, and then from Cloudflare to your website. This method is recommended for users proficient in DNS administration. Your DNS Provider will need to support domain forwarding, or you will need to create a rewrite rule within your website code.

 

Your Cloudflare account will be created and you'll be invited to access your new Cloudflare account to complete the remaining setup.

 

Step 2: Recommended Settings

The following settings are considered best practices for the operation and security of your website.

Log in to your Cloudflare account.

 

Pause Cloudflare

On the Overview page, scroll down to the bottom right and click Pause Cloudflare on Site under the Advanced Actions heading. This ensures that the firewall settings will not go into effect until all configurations are complete.

 

SSL/TLS

Click the SSL/TLS tab, then click Edge Certificates. Scroll down to the Minimum TLS Version and set the dropdown value to TLS 1.2

 

Security Settings

Click the Security tab, then click Settings. Under the Security Level heading, set the dropdown value to High.

 

Click navigate to Security >WAF > Managed Rules, then toggle the On switch for the Web Application Firewall setting.

  • Scroll down to Cloudflare Managed Ruleset, toggle all settings to Off except for Cloudflare Specials, toggle that to On.
  • Scroll down to Package: OWASP ModSecurity Core Rule Set, set dropdowns Sensitivity to Low and Action to Challenge.


Click Security > WAF > Firewall Rules, then click Create a Firewall rule.

  • Set the Name to Block PHP. Click Edit Expression, then copy paste the below expression into the field:
(http.request.uri.path contains ".php") or (http.request.uri.path contains "wp-includes") or (http.request.uri.path contains "wlmanifest") or (http.request.uri.path contains "phpmyadmin")

 

  • Click Save.

 

Rules

Navigate to Rules > Page Rules.

This page allows you to configure rules which apply to URLs requested on your website. Below are the recommended defaults for sites running Mosaic Ecommerce. 

For each rule below, replace *domain.com with your website's domain name. Click Create Page rule for each URL below. For each URL, set the Setting dropdown to Disable Security.

  • *domain.com/dotfeed.aspx*
  • *domain.com/ipx.asmx*
  • *domain.com/ipx.svc*
  • *domain.com/aspdnsf_admin/*

Step 3: Configuration

 

CNAME Configuration

 

Add TXT Record

On the Overview page, follow the instructions to add a custom TXT record to your DNS zone with your current DNS provider. Once the TXT record is in place, you can click Re-activate to have Cloudflare check for the presence of the record.

 

Set DNS record in Cloudflare

Click the DNS tab, then create an A record for www.domain.com or store.domain.com (replace with your website's domain name). Set the IP address to your website's IP address. If you don't know your website IP, Vortx can provide that to you.

 

At this point, you should check the SSL/TLS tab in cloudflare, and click Edge Certificates. Make sure that a certificate was generated for your domain name, and that the status is Active.

 

Validate Universal SSL

On the SSL/TLS > Edge Certificates page, you'll see one or more certificates with a status of Pending Validation (HTTP). This must be set to Active before the remaining steps can be completed. Submit a ticket to Vortx to request activation of your Cloudflare Universal SSL. We will add a custom TXT file to a new custom directory in your website which will allow Cloudflare to validate your domain and complete provisioning of the new SSL.

 

Set DNS records with your DNS provider

Within your DNS zone, set a CNAME record pointing www.domain.com to www.domain.com.cdn.cloudflare.net (replace domain.com with your website's domain). Delete any other A or CNAME records associated with www.domain.com within your DNS zone.

 

Set the root domain (domain.com) to forward to www.domain.com. If your current DNS provider doesn't support domain forwarding, set an A record for domain.com pointing to your website's IP address, and set a rewrite rule in your website configuration to forward the traffic to www.domain.com.

 

Enable Cloudflare

On the Overview tab, scroll down and click Enable Cloudflare on Site. Your setup is complete, and your website is now protected by the Cloudflare Web Application Firewall.