Setup
The creoline WAF is currently in the closed beta phase. Setup is therefore only possible through our new Customer Center. Due to active development, some features of the creoline WAF are only available to a limited extent.
Setup
- Request beta access through our support team
- Log in to our new customer center at app.creoline.com
- Select the menu item Web Application Firewall → Create Instance.
Enter the full domain name of the website you want to protect as the domain name. Be sure to strictly separate the main domain from any subdomains. For example, if your web server performs a 301 redirect from my-shop.com to www.my-shop.com, the www. version must also be added to the WAF instance.
For Upstream Host, you can use either the IPv4 address or the DNS hostname of your server. Please note that you cannot use your website’s domain name here, as it will be redirected to our Web Application Firewall via DNS in the next step.
Modifying the DNS Zone
The next step involves modifying your domain’s DNS records. If you want to protect a primary domain, change the DNS records as follows with your DNS provider:
Primary Domain
Example for my-shop.com
| RR Type | Host | Value | TTL |
|---|---|---|---|
| A | my-shop.com | 5.1.73.191 | 3600 |
| AAAA | my-shop.com | 2a07:6fc0:1:0:7::213 | 3600 |
Subdomain
Example for www.my-shop.com
| RR Type | Host | Value | TTL |
|---|---|---|---|
| CNAME | www.my-shop.com | edge.waf.creoline.net | 3600 |
Once we have validated the DNS records, we automatically issue a matching SSL certificate, completely eliminating the need for you to manually issue or renew certificates.
Configuration in the Web Application
In the future, HTTP requests to your web application will first be routed through the Web Application Firewall and then forwarded to your web application. If your application evaluates the client’s IP address—for example, for logging or to store specific information—you will need to modify the application.
WAF Request Headers
The following HTTP headers are sent by the WAF to the upstream server in every request:
| Header | Example | Description |
|---|---|---|
| X-Waf-Instance-ID | e975c46a-0d62-445a-88d2-fa478de425ac | UUID of the WAF instance |
| X-Original-IP | 5.1.73.100 | Client IP address |
| X-Waf-Edge-IP | 5.1.73.191 | Edge IP address of the WAF |
| X-Forwarded-For | 5.1.73.100, 5.1.73.191 | IP addresses of the clients |
| X-Forwarded-Proto | https | Client protocol |
| X-Creoline-Request-Type | dynamic | Request type (static / dynamic) |
General
The client’s IP address is included in the X-Original-IP request header. Additionally, a concatenation of all IP addresses is sent via X-Forwarded-For.
Shopware / Symfony
In Shopware or Symfony, you must first configure a framework.yaml file to enable the internal TRUSTED_PROXIES configuration.
# config/packages/framework.yaml
framework:
trusted_proxies: '%env(TRUSTED_PROXIES)%' Next, the TRUSTED_PROXIES configuration can be set up in the .env.local file.
# .env.local
TRUSTED_PROXIES=127.0.0.1,5.1.73.196/32,5.1.73.88/32,5.1.73.201/32,5.1.73.79/32,5.1.73.86/32 Enter the source IP address of the load balancer in the TRUSTED_PROXIES configuration.