Setup

The creoline WAF is currently in the closed beta phase. Setup is therefore only possible through our new Customer Center. Due to active development, some features of the creoline WAF are only available to a limited extent.



Setup

  • Request beta access through our support team
  • Log in to our new customer center at app.creoline.com
  • Select the menu item Web Application FirewallCreate Instance.



Enter the full domain name of the website you want to protect as the domain name. Be sure to strictly separate the main domain from any subdomains. For example, if your web server performs a 301 redirect from my-shop.com to www.my-shop.com, the www. version must also be added to the WAF instance.


For Upstream Host, you can use either the IPv4 address or the DNS hostname of your server. Please note that you cannot use your website’s domain name here, as it will be redirected to our Web Application Firewall via DNS in the next step.



Modifying the DNS Zone

The next step involves modifying your domain’s DNS records. If you want to protect a primary domain, change the DNS records as follows with your DNS provider:


Primary Domain

Example for my-shop.com 

RR Type Host Value TTL
A my-shop.com 5.1.73.191 3600
AAAA my-shop.com 2a07:6fc0:1:0:7::213 3600


Subdomain

Example for www.my-shop.com 

RR Type Host Value TTL
CNAME www.my-shop.com edge.waf.creoline.net 3600


Once we have validated the DNS records, we automatically issue a matching SSL certificate, completely eliminating the need for you to manually issue or renew certificates.



Configuration in the Web Application

In the future, HTTP requests to your web application will first be routed through the Web Application Firewall and then forwarded to your web application. If your application evaluates the client’s IP address—for example, for logging or to store specific information—you will need to modify the application.


WAF Request Headers

The following HTTP headers are sent by the WAF to the upstream server in every request:

Header Example Description
X-Waf-Instance-ID e975c46a-0d62-445a-88d2-fa478de425ac UUID of the WAF instance
X-Original-IP 5.1.73.100 Client IP address
X-Waf-Edge-IP 5.1.73.191 Edge IP address of the WAF
X-Forwarded-For 5.1.73.100, 5.1.73.191 IP addresses of the clients
X-Forwarded-Proto https Client protocol
X-Creoline-Request-Type dynamic Request type (static / dynamic)


General

The client’s IP address is included in the X-Original-IP request header. Additionally, a concatenation of all IP addresses is sent via X-Forwarded-For.


Shopware / Symfony

In Shopware or Symfony, you must first configure a framework.yaml file to enable the internal TRUSTED_PROXIES configuration.


# config/packages/framework.yaml

framework:
    trusted_proxies: '%env(TRUSTED_PROXIES)%'


Next, the TRUSTED_PROXIES configuration can be set up in the .env.local file.

# .env.local

TRUSTED_PROXIES=127.0.0.1,5.1.73.196/32,5.1.73.88/32,5.1.73.201/32,5.1.73.79/32,5.1.73.86/32

Enter the source IP address of the load balancer in the TRUSTED_PROXIES configuration.