This article describes the steps required to install the Vortx Premium Cloudflare Web Application Firewall (WAF) for your website's domain.


Before you get started, you should know who your domain registrar and DNS host are, and have access to your account(s) with both providers. Read through the instructions before making changes to make sure you have the necessary information & access to complete each step.


Please submit a support ticket if you need assistance.



Step 1: Account Setup

When you purchase Cloudflare Premium, a representative will reach out to identify which onboarding method you prefer.


There are two options available:


Nameserver

With this method, you will change the nameservers associated with your domain to Cloudflare's nameservers. Cloudflare will become your DNS provider, and any changes you need to make to your DNS records will be done within your Cloudflare account. This is the method recommended for most users.


CNAME

With this method, you can keep your current nameserver settings. The subdomain associated with your website hosted with Vortx (www.domain.com / store.domain.com) will have a new CNAME record which routes traffic first through Cloudflare, and then from Cloudflare to your website. This method is exclusively available for stores running under a subdomain (like www.domain.com or store.domain.com). If your store runs exclusively on domain.com, this will not work for you. This method is recommended for advanced users proficient in DNS administration. Your DNS Provider will need to support domain forwarding, or you will need to create a rewrite rule within your website code.


Once you have selected an onboarding method, your account will be created and you'll be invited to access your new Cloudflare account to complete the remaining setup.


Step 2: Recommended Settings

The following recommended settings apply to both Nameserver and CNAME onboarding methods. These settings are considered Vortx best practices for the operation and security of your website.


Pause Cloudflare

On the Overview page, scroll down to the bottom right and click Pause Cloudflare on Site under the Advanced Actions heading. This ensures that the firewall settings will not go into effect until all configurations are complete.


SSL/TLS

Click the SSL/TLS tab at the top of the page, then click Edge Certificates. Scroll down to the Minimum TLS Version and set the dropdown value to TLS 1.2


Firewall

Click the Firewall tab at the top of the page, then click Settings. Under the Security Level heading, set the dropdown value to High.


Click Managed Rules, then toggle the On switch for the Web Application Firewall setting.


Scroll down to Cloudflare Managed Ruleset, toggle all settings to Off except for Cloudflare Specials, toggle that to On.


Scroll down to Package: OWASP ModSecurity Core Rule Set, set dropdowns Sensitivity to Low and Action to Challenge.


Click Firewall Rules, then click Create a Firewall rule.

Set the Name to Block PHP. Click Edit Expression, then copy paste the below expression into the field:

(http.request.uri.path contains ".php") or (http.request.uri.path contains "wp-includes") or (http.request.uri.path contains "wlmanifest") or (http.request.uri.path contains "phpmyadmin")


Click Save.


Click Bots, then click Configure Super Bot Fight Mode. Under the Definitely automated heading, set the dropdown value to Challenge.

If your website uses an integration with another application, skip the configuration on the Bots page.


Rules

This page allows you to configure rules which apply to URLs requested on your website. Below are the recommended defaults for sites running AspDotNetStorefront. You may also want to set your own custom rules for other purposes (like 301 redirects, or other custom integration files). Visit this page for more information about page rules.

For each rule below, replace *domain.com with your website's domain name. Click Create Page rule for each URL below. For each URL, set the Setting dropdown to Disable Security.

  • *domain.com/dotfeed.aspx*
  • *domain.com/ipx.asmx*
  • *domain.com/ipx.svc*
  • *domain.com/admin/*
If you are using a URL for your admin console other than /admin, change the last URL in the list below to reflect your custom admin directory.


Step 3: Configuration

Follow only Nameserver Configuration OR CNAME Configuration, according to the onboarding method you selected:


Nameserver Configuration

If you selected CNAME as your onboarding method, skip these steps. See CNAME Configuration below.

Add DNS Records

Collect your DNS records from your current DNS provider. Some DNS providers will provide an export text file, you can use the import function on the DNS page in Cloudflare to import the records. Otherwise, copy and paste each record into the DNS page in Cloudflare.


For each DNS record that points to your website, set the cloud icon under Proxy Status to orange (Proxied). All other DNS records should be set to gray (DNS only).


Set Nameservers

Once your DNS records are all added and verified, visit your Domain Registrar account, and set your nameservers to the values you see on the DNS page in Cloudflare, just below your DNS records, under the Cloudflare Nameservers heading. DNS propagation can take 1 - 2 days to complete. During this time some traffic may be flowing through your old nameservers and some may be flowing through the new Cloudflare nameservers. Do not cancel your account with your previous DNS provider until DNS has fully propagated (after 48 hours).


At this point, you should check the SSL/TLS tab in cloudflare, and click Edge Certificates. Make sure that a certificate was generated for your domain name, and that the status is Active.


Enable Cloudflare

On the Overview tab, scroll down and click Enable Cloudflare on Site. Your setup is complete, and your website is now protected by the Cloudflare Web Application Firewall.


CNAME Configuration

If you selected Nameserver as your onboarding method, skip these steps. See Nameserver Configuration above.

Add TXT Record

On the Overview page, follow the instructions to add a custom TXT record to your DNS zone with your current DNS provider. Once the TXT record is in place, you can click Re-activate to have Cloudflare check for the presence of the record.


Set DNS record in Cloudflare

Click the DNS tab, then create an A record for www.domain.com or store.domain.com (replace with your website's domain name). Set the IP address to your website's IP address. If you don't know your website IP, Vortx can provide that to you.


At this point, you should check the SSL/TLS tab in cloudflare, and click Edge Certificates. Make sure that a certificate was generated for your domain name, and that the status is Active.


Validate Universal SSL

On the SSL/TLS > Edge Certificates page, you'll see one or more certificates with a status of Pending Validation (HTTP). This must be set to Active before the remaining steps can be completed. Submit a ticket to Vortx to request activation of your Cloudflare Universal SSL. We will add a custom TXT file to a new custom directory in your website which will allow Cloudflare to validate your domain and complete provisioning of the new SSL.


Set DNS records with your DNS provider

Within your DNS zone, set a CNAME record pointing www.domain.com to www.domain.com.cdn.cloudflare.net (replace domain.com with your website's domain). Delete any other A or CNAME records associated with www.domain.com within your DNS zone.


Set the root domain (domain.com) to forward to www.domain.com. If your current DNS provider doesn't support domain forwarding, set an A record for domain.com pointing to your website's IP address, and set a rewrite rule in your website configuration to forward the traffic to www.domain.com.


Enable Cloudflare

On the Overview tab, scroll down and click Enable Cloudflare on Site. Your setup is complete, and your website is now protected by the Cloudflare Web Application Firewall.