Imperva Web Protection and CDN services provide security and acceleration services at the web application level.

Overview

To secure your website with Imperva's Web Protection and CDN services, you will need to onboard your site by completing a series of steps on Imperva's platform. These include configuring DNS records (A/CNAME) and updating your site's SSL/TLS support configuration. The instructions below will guide you through each step, ensuring that all traffic is routed through Imperva's network, and your website is protected and accelerated.

The onboarding process begins with adding a “site” to an Imperva account. An Imperva site may consist of a single application or a group of applications that are managed together, sharing the same dashboards and configuration settings.

Each Imperva site carries a unique CNAME record that is used to point traffic to the Imperva network and for identifying the Imperva site if multiple applications share the same Imperva site.

Note: Imperva supports the use of the standard HTTP/S ports:

  • 80 (HTTP)
  • 443 (HTTPS)

In addition, Imperva supports a number of non-standard ports. For the list of these additional ports, see Non-standard Open Ports.

To use other non-standard ports that are not listed, contact support before onboarding to request a change. Note that the change can take some time to implement.

To onboard Imperva web protection:

Step 1: Add your website to Imperva

  1. Log into your my.imperva.com account. The Add Your Website screen appears.

    Note: If you have already added a site to your Imperva account and want to add an additional site, go to the Cloud Security Console Websites page and click Add website.

  2. In the Add a website field, enter the full domain name of your site (including the subdomain prefix, such as www), e.g., www.mydomain.com.

    When onboarding a second-level domain, whether you enter it in the format of mydomain.com or www.mydomain.com, the full domain (in this case, www.mydomain.com) is added to the certificate.

     

    Alternatively, click Advanced configuration to manually configure your web server IP/CNAME and skip the automated DNS check for the origin IP. This allows you to prepare the site and configure the DNS later. The options include:

    Web server IP/CNAME The IP or CNAME of your web server.
    Use SSL Configures SSL support for your secure site. For more details, see Step 2: Configure SSL support for secure sites below.
    Send setup emails Receive emails about the “add website” process, such as DNS and SSL setup instructions.
    Reference ID A free-text field that enables you to add a unique identifier to correlate the site with an object in your system.

  3. Click Add website to proceed. The following is displayed, showing automatically collected information about your site:

    If your site has SSL support, HTTP + HTTPS is displayed in this window. Click the Continue button to configure SSL support for your site in Imperva, as described in Step 2: Configure SSL support for secure sites.

    If your site is not SSL protected, skip to Step 3: Get an Imperva DNS A Record / CNAME Record.

Step 2: Configure SSL support for secure sites

Imperva acts as an HTTPS proxy and terminates connections initiated by your end-user clients. For this reason, a second SSL certificate (or actually multiple copies of the same certificate) needs to be installed on the Imperva proxy servers, in addition to the one already installed on the origin servers. This certificate is the one that is visible to the end users.

When onboarding a site to Imperva, you can have Imperva generate a certificate, use your own certificate, or skip certificate creation and complete the process later.

Note: You can delegate the task of domain ownership validation to Imperva to save time and effort during site onboarding and certificate renewal.

When you configure automatic domain validation for your account, Imperva automatically:

  • Generates an SSL certificate for any new site you add under your domains.

  • Revalidates domain ownership when a certificate expires.

For more details, see Automatic Domain Validation for Imperva-Generated Certificates.

To begin onboarding your site, choose one of the following:

  • Option A: Configure SSL for an active site - This default option instructs Imperva to generate a new certificate for the site. The Certificate Authorities that certify these certificates for Imperva are required to validate the customer’s ownership of the domain, a process that requires two consecutive changes in the DNS.

  • Option B: Configure SSL for a new site - This 1-step option quickly generates an Imperva certificate for your site and requires only a single change in the DNS. Imperva validates your ownership of the domain, but blocks access to the site for approximately 5 minutes until the process is completed.

  • Option C: No Imperva certificate - This option lets you onboard a new site without any certificate, then configure a custom or Imperva certificate for it in the future.

Note:  

  • At any stage during the registration procedure, you can click the Configure Later button to return to the Websites page without generating an SSL certificate for the site. The Websites page displays the new site with a status indicating that configuration is not complete. You can configure a certificate directly from the site settings at a later stage. In such a case, new DNS instructions will be provided and you will need to configure your DNS records accordingly.

  • You can check certificate or validation status after onboarding at any time from the SSL Certificates page. For more details, see Manage SSL Certificates.

Option A: Configure SSL for an active site

During configuration and preparation of your Imperva certificate, your site will remain accessible. Once the new Imperva SSL certificate is ready, you can direct the traffic to Imperva.

The next screen that is displayed depends on whether automatic domain validation is configured for your account:

With account level CNAME validation already set up

If you already have account level CNAME validation configured for the domain of the site, a message is displayed explaining that Imperva is already in the process of issuing a certificate for this site. To continue, skip to Step 4: Configure your DNS.

For more details on account level CNAME validation, see Automatic Domain Validation for Imperva-Generated Certificates.

Without account level CNAME validation

  1. From the Configure SSL for an active site option, select a SANs configuration for your site.

    Add full domain Adds the full domain SAN to the Imperva SSL certificate.
    Add wildcard domain SAN: *.com

    Adds the wildcard SAN to the Imperva SSL certificate instead of the full domain SAN.

    Example: For www.example.com, the wildcard SAN is *.example.com and the full domain SAN is www.example.com.

    Using a wildcard SAN enables you to add subdomains, such as sub.example.com, without the need for a certificate change and revalidation.

    Note: Typically, when your site's Imperva-generated certificate needs to be renewed, the process is completed automatically by Imperva. If you are using a wildcard SAN, automated validation can only be completed for a subdomain under the following circumstances:

    • If the domain (e.g. example.com) is also protected by Imperva.

    • When the validation of the domain (e.g. example.com) was done by CNAME validation and the CNAME record for the SSL validation (starts with _delegate_validation) remains in place.

    Otherwise, you will receive an email notification from Imperva requiring you to revalidate ownership of your domain.

    Add naked domain SAN: <site name>.com

    For second-level domains with the www prefix, adds the naked domain SAN to the Imperva SSL certificate.

    Example: For www.example.com, the SAN example.com is added to the certificate in addition to the wildcard or full domain SAN.

  2. Click Continue to validate domain ownership.

  3. The Certificate Authority is required to validate ownership of the domain. Select one of the following methods described below:

    • Validate by adding DNS records (TXT or CNAME)

    • Validate by e-mail

    Validate your website ownership by adding a DNS record

    1. Click Validate by adding DNS records (selected by default).

    2. Click the Record type dropdown and select one of the following:

      • CNAME: This option ensures automatic revalidation of the site in the future by Imperva.

      • TXT: This secondary option is for organizations that do not allow the use of a CNAME for site validation or do not want Imperva to automatically manage this site's revalidation in the future.

    3. Log into your DNS management console and open your DNS Zone file. If you are using a DNS management service, log into it to make the change.

      Note: Field names may vary between different DNS providers.

    4. Set the Record type to match what you selected from the dropdown.

    5. Copy the Host string into the DNS Record name field:

      CNAME example: _delegate_validation.<domain>
      This defines your domain's delegation to Imperva.

      TXT example:

    6. Copy the Value string into the DNS Value field:

      CNAME example:

      TXT example:

    7. On the Activate SSL Support page, click I added the records button (it will match your Record type selection). Imperva verifies that the value of the new record(s) has been added to your DNS zone file. This may take a few minutes.

    Validating your website ownership by email

    1. Click Validate by e-mail.

    2. Select an email address from the drop-down menu where you want to receive the validation link. The drop-down menu is populated with default emails for the domain (e.g. admin@, administrator@, etc.). To add emails to this list, see Adding Emails for Ownership Validation.

      You can test whether these email addresses are correct by clicking the Send a test email to all the addresses link which sends test emails to all the listed addresses. This enables you to check whether you receive these emails, thus indicating that the addresses are correct. The test emails sent in this manner do not contain a validation link.

    3. When you have selected an email address from the drop-down menu, click the Send button. Imperva sends the validation email to the selected address.

    4. Open the email you received and click on the validation link.

    5. On the Activate SSL Support page, click the I clicked the link button to indicate that you have clicked the link in the validation email.

Issuing a new SSL certificate for your website

After validating website ownership, Imperva begins issuing a new SSL certificate for the site. This process typically takes less than an hour but may take up to 24 hours. Once you see a message confirming that the certificate was issued successfully (you do not need to remain in this window), proceed to Step 3: Get an Imperva DNS A Record / CNAME Record.

Note:

While waiting for the certificate to be issued, your site remains available as it was previously. Traffic is not yet being diverted through Imperva. After the certificate is ready, Imperva sends DNS instructions for onboarding.

If, for any reason, the issuing of this new SSL certificate is not completed promptly, a message is displayed and you will receive an email notification when the certificate is issued.

Option B: Configure SSL for a new site

Onboard a new HTTPS site that does not have traffic, or one that can go offline temporarily, and configure an Imperva SSL certificate in one step. Since Imperva validates the domain by HTML after you update the DNS, this option eliminates the need to validate domain ownership via email or by adding a TXT record to the DNS . During this process, your site will not be accessible for approximately 5 minutes until Imperva generates the new SSL certificate for the site.

From the Configure SSL for a new site option, the SANs configuration is automatically set to Add full domain.

Note: Adding a wildcard domain SAN to the certificate is not supported for this option.

  1. For second-level domains with the www prefix, such as www.example.com, you can check the Add naked domain SAN option to include it in the Imperva SSL certificate.

  2. Click Continue for instructions on how to update your DNS records, as explained in Step 3: Get an Imperva DNS A Record / CNAME Record.

Option C: No Imperva certificate

When you onboard a new HTTPS site with the No Imperva certificate option, it will not receive any SSL traffic until you upload a custom certificate, which will then be presented only to SNI-supporting clients. For details, see Upload a Custom Certificate for Your Website on Imperva.

Note: If your site also needs to serve non SNI-supporting clients, it requires an Imperva certificate. Select one of the following to install an Imperva certificate:

Click Continue for instructions on how to update your DNS records, as explained in Step 3: Get an Imperva DNS A Record / CNAME Record.

Note:  

  • The certificate's public key must be less than 4096 bits.

  • The certificate must include the SAN for the website’s domain.

Step 3: Get an Imperva DNS A Record / CNAME Record

After you click the Continue button, the Change your DNS records screen appears with instructions on how to configure a DNS A record(s) / CNAME record. The content of this screen varies depending on your network and the type of site you are onboarding:

  • If you entered a second-level domain in the format <second-level domain>.<top-level domain> (such as example.com) or www.<second-level domain>.<top-level domain> (such as www.example.com), two IP addresses will be provided for configuring your site’s DNS A Records for each IP. Additionally, the domain name for configuring your site’s CNAME Record will also be provided.

    Configure the IP records for your naked or second-level domain, and map the CNAME to your full domain.

  • In all other cases, only a CNAME Record is provided for configuring your site.

The following step details how to complete the configuration.

Step 4: Configure your DNS

To configure the A Record(s) and CNAME Record of your DNS:

  1. Log into your DNS management console.

  2. Create or update your site's records, as instructed on the Change your DNS records screen.

    1. Update the A Record for your naked domain (for example, mydomain.com) so it points to the IPs provided by Imperva for the A Record. Imperva provides you with two different A records for redundancy, and you will need to configure both of them for the naked domain. These IPs point to the Imperva PoPs closest to the location where your application is hosted.

      Note: The A records of your non-HTTP/S DNS records (such as ftp.mydomain.com or mail.mydomain.com) must remain pointing to your origin web server and not to Imperva, which means that you should simply leave them "as is" in the DNS Zone file.

      Imperva provides full support for sites using IPv6. If your DNS records contain an AAAA record, Imperva will also provide two AAAA records to replace the existing AAAA record.

    2. Create or update your site's full domain CNAME Record so it points to the domain provided by Imperva. Remember, the full domain includes the subdomain prefix, such as www.mydomain.com or subdomain.mydomain.com. If an end user types in the subdomain, then Imperva uses the CNAME Record and provides service from the PoP that is closest to you.

  3. On the Change your DNS records screen, click the Validate button to verify that the records were updated correctly.

  4. If you selected the Configure SSL for a new site option, then the Status Check section also appears on the screen. After your DNS records are successfully validated, click the second Validate button to verify that SSL configuration was completed successfully.

  5. Click Done to view the new site's settings or View all websites to view the current configuration status for your new site on the Websites page.


For more details on the Websites page, see Web Protection - Websites

Step 5: Allow access to Imperva IPs

Make sure that Imperva IPs are added to the allowlist of your web server firewall and the firewall deployed in front of your web server. It is also recommended to restrict access from non-Imperva IPs. For details, see Imperva IP addresses.

Step 6: Your site is onboard!

Once DNS changes are complete, traffic is gradually routed through the Imperva network, as the new DNS records propagate through the Internet. The entire process is TTL-dependent and usually takes a few hours to complete. Nevertheless, no packet drops should occur at any stage.

Note:  

  • We strongly recommend that you change the IP address of your origin server. This will render any archived IP records obsolete, and new searches will display only the Imperva IP address.
  • You can disable Imperva web protection at any time. When web protection is disabled, traffic is routed directly to the origin and not through the Imperva network.

How To

Read More