Onboarding a Site – Web Protection and CDN

The Incapsula Web Protection and CDN services provide security and acceleration services at the web application level.


The first step in protecting and accelerating a web application is to add a “site” to an Incapsula account. An Incapsula site may represent a single application or a group of applications that are managed together sharing the same dashboards and configuration settings (only applies to Enterprise accounts).

Each Incapsula site carries a unique CNAME record that is used both for pointing traffic to the Incapsula network and also for identifying the Incapsula site in the case that multiple applications share the same Incapsula site.

Note: Incapsula supports the use of the standard HTTP/S ports:

  • 80 (HTTP)
  • 443 (HTTPS)

In addition, Incapsula supports a number of non-standard ports. For the list of these additional ports, see Non-standard Open Ports .

To use other non-standard ports that are not listed, contact support before onboarding to request a change. Note that the change can take some time to implement.

To onboard Incapsula:

Step 1: Add your site to Incapsula

  1. Log in to your my.incapsula.com account.

    Note: If you have already added a site to your Incapsula account and want to add an additional site, go to the Management Console Websites page and click Add Site.

  2. In the Add a website field, enter the full domain name (including the subdomain prefix, such as www) of your site. For example, www.yourdomain.com.

    Alternatively, click Advanced configuration to manually set your web server IP/CNAME and skip the automated DNS check for the origin IP. This enables you to prepare the site but configure DNS at a later time. The options include:

    Reference ID A free-text field that enables you to add a unique identifier to correlate the site with an object in your system.
    Web server IP/CNAME The IP or CNAME of your web server.
    Use SSL Configures SSL support for your secure site. For more details, see Step 2: Configure SSL support for secure sites below.
    Send setup emails Receive emails about the “add site” process, such as DNS and SSL setup instructions.
  3. Click + Add Website. The following is displayed, showing information automatically collected by Incapsula about your site:

  4. If HTTPS is detected, the following options are available:

    Add wildcard domain SAN: *.com

    Adds the wildcard SAN to the Incapsula SSL certificate instead of the full domain SAN.

    Example: For www.example.com, the wildcard SAN is *.example.com and the full domain SAN is www.example.com.

    Using a wildcard SAN enables you to add subdomains, such as sub.example.com, without the need for a certificate change and revalidation.

    Note: Typically, when your site's Incapsula-generated certificate needs to be renewed, the process is completed automatically by Incapsula. If you are using a wildcard SAN, automated validation can only be completed for a subdomain if the domain (e.g. example.com) is also protected by Incapsula. Otherwise, you will receive an email notification from Incapsula requiring you to revalidate ownership of your domain.

    Add naked domain SAN: <site name>.com

    For sites with the www prefix, adds the naked domain SAN to the Incapsula SSL certificate.

    Example: For www.example.com, the SAN example.com is added to the certificate in addition to the wildcard or full domain SAN.

Step 2: Configure SSL support for secure sites

If your site is not SSL protected, then skip to Step 4: Configure your DNS.

If your site already has SSL protection, then HTTP + HTTPS is displayed in this window, as shown below:

Click the Continue button. The following is displayed, illustrating how SSL protection works throughout the chain of communication to your site.

Incapsula acts as an HTTPS proxy and terminates connections in front of the end users. For this reason, a second SSL certificate (or actually multiple copies of the same certificate) needs to be installed on the Incapsula proxy servers, in addition to the one already installed on the origin servers. This certificate is the one that is visible to the end users.

There are two alternatives for installing SSL certificates on the Incapsula proxy servers:

  1. The default method is having Incapsula generate a new certificate for the domain. The Certificate Authorities that generate these certificates for Incapsula are required to validate the customer’s ownership of the domain, a process which usually takes just a few minutes.
  2. An alternative method involves uploading a custom certificate. Since this certificate only serves SNI-supporting clients, most customers are also usually required to generate an Incapsula certificate for the site (which is used for all non SNI-supporting clients).

Note: At any stage during the registration procedure, you can click the I don’t want SSL button. If you choose this option, Incapsula will not generate a certificate for this site. It is possible at a later stage to configure a certificate for the site directly from the site settings. In such a case new DNS instructions will be provided and DNS records will have to be configured accordingly.

Request an Incapsula Certificate

  1. Click the Let’s start button. The following is displayed:

  2. The Certificate Authority is required to validate ownership of the domain using one of the following methods:

Issuing A New SSL Certificate for Your Website

After website ownership has been validated, Incapsula starts the process of issuing a new SSL certificate for the site.

The process is typically completed after a few minutes. A message pops up indicating that the certificate was issued successfully (you do not have to remain in this window).


While waiting for the certificate to be issued, the site continues to be available as it was previously. Traffic is not yet being diverted through Incapsula. After the certificate is ready, you will receive DNS instructions for onboarding Incapsula.

If, for any reason, the issuing of this new SSL certificate is not completed promptly, a message is displayed and you will receive an email notification when the certificate is issued.

Upload a custom certificate

(Optional) To upload a custom certificate, complete the process described above to request an Incapsula Certificate, and then follow the instructions on Upload a Custom Certificate for Your Website on Incapsula.

Step 3: Get an Incapsula DNS A Record / CNAME Record

Click the Continue button. The following window is displayed:

  • If you entered a full domain name, then two IP addresses are provided to which to configure your site’s DNS A Records. In addition, the domain name to which to configure your site’s CNAME Record is also provided.
  • If you entered a subdomain name, then a CNAME Record is provided to which to configure your site.

Step 4: Configure your DNS

  1. In order to configure A Records and CNAME Record(s) of your DNS, you must log into your DNS management console.

  2. Update the A Record for your naked domain (for example, yourdomain.com) so that it points to the IPs provided by Incapsula for the A Record. Incapsula provides you with two different A records for the sake of redundancy, and you will need to configure both of them for the naked domain. These IPs points to the Incapsula PoPs closest to the location where your application is hosted. Incapsula provides full support for sites using IPv6. If your DNS records contain an AAAA record, Incapsula will also provide two AAAA records to replace the existing AAAA record.

    Important Note: The A records of your non-HTTP/S DNS records (such as ftp.yourdomain.com or mail.yourdomain.com) must remain pointing to your origin web server and not to Incapsula, which means that you should simply leave them "as is" in the DNS Zone file.

  3. Create or update the CNAME Record of the full domain of your site so that it points to the domain provided by Incapsula. Remember, the full domain includes the subdomain prefix, such as www.yourdomain.com or subdomain.yourdomain.com. If an end user types in the subdomain, then Incapsula uses the CNAME Record and provides service from the PoP that is closest to the end user.

Step 5: Confirm that the DNS record was changed

Click the I completed the DNS changes button. The new site is then added to your Incapsula management console, as shown below:

Alternatively, click the I’ll make the DNS changes later button.

Step 6: Your site is onboard!

Once DNS changes are complete, traffic gradually gets routed through the Incapsula network, as the new DNS records propagate through the Internet. The entire process is TTL-dependent and usually takes a few hours to complete. Nevertheless, no packet drops should occur at any stage.


  • Make sure that Incapsula IPs are whitelisted in your web server firewall and in the firewall deployed in front of your web server. It is also recommended to restrict access to non-Incapsula IPs. For details, see Incapsula IP addresses .
  • We strongly recommend that you change the IP address of your origin server. This will render any archived IP records obsolete, and new searches will display only the Incapsula IP address.
  • You can disable Incapsula at any time. When Incapsula is disabled, traffic gets routed directly to the origin and not through the Incapsula network.

How To

Read More