Salesforce B2C Commerce 19.4 > Administering Your Organization > Site Preferences > Configuring the Embedded CDN

Configure a Zone

Before you can configure a zone, the zone must be created and verified. When you configure a zone, the settings apply to all hostnames within the zone, regardless of where the hostname was configured (instance or realm).

Zone settings are organized into three groups:

To configure a zone, perform the following steps:

  1. Select Administration > Sites > Embedded CDN Settings > Configure Zones.
    If there's no embedded CDN enabled for your instance, you see the message: The embedded CDN has not been enabled.
    A slider opens from the right side of the page. The slider contains an entry for each zone listed on the page.
  2. Click the Verified label to see the verification record.

    For example, the Verification Value is INTXT '123456789-87654321'.

    This value enables you to communicate with the provider after a forced verification, or if you delete the record and need to replace it, regardless of whether the zones have already been verified.

  3. Select a zone.
  4. In the slider, click Crypto.
    1. (Optional) In the Certificates section, click Add Certificate.
      The certificate can be acquired from the Certificate Authority of your choice. You can upload multiple custom SSL certificates per zone. You can't, however, upload multiple certificates that reference the same hostnames and certificate signature (for example, SHA256WithRSA). To support certificate renewal, you can replace one certificate with another.
      You can only add a certificate on Production instances.
      When you click Add Certificate, the Upload Custom Certificate window opens.
    2. Copy and paste the certificate and private key into the Certificate and Private Key fields.
      When pasting into the text fields, include the BEGIN and END lines surrounding the certificate or key data.
    3. Select a bundle method.
      The bundle method describes how your leaf certificate is bundled with intermediary certificates to complete the certificate chain.
      • Compatible: Also called a ubiquitous bundle, is a bundle that has a higher probability of being verified everywhere, even by clients using outdated or unusual trust stores.
      • Modern: Also called an optimal bundle, is a bundle with the shortest chain and newest intermediates.
      • User Defined: Also called a forced method, attempts to use the certificate/chain as defined by the input.
    4. Click Upload Certificate.
    5. (Optional) In the SSL/TLS Settings section, select one or more of the following options:
      • Enable TLS 1.3 (beta): Enables the TLS 1.3 protocol based on the latest IETF drafts. TLS 1.3 is only supported on a limited number of browsers. This setting isn't recommended for Production environments.
      • Require TLS 1.2 or higher: When enabled, only TLS versions 1.2 and higher are used for client connections. Disabling this option is only permissible for webstores that were operating prior to July 1, 2015, per PCI-DSS requirements. Disabling the option enables the potentially insecure TLS 1.0 and 1.1 protocols. Starting July 1, 2018, TLS 1.2 is required for all PCI-DSS compliant webstores.
      Note: You can't specify these options until after you have uploaded SSL certificates for the zone.
  5. In the slider, click Firewall.
    1. Specify the Security Level.

      The Security Level uses the IP reputation of a visitor to decide whether to present a challenge. The IP reputation is calculated by an internal algorithm. The following are the security levels:

      • High: Threat scores greater than 0 are challenged.
      • Medium: Threat scores greater than 14 are challenged.
      • Low: Threat scores greater than 24 are challenged.
      • Under Attack: Threat scores greater than 49 are challenged.

      Adjust the Security Level for your domain in the Firewall app.

    2. (Optional) In the Firewall> section, click Add Group.

      The Add Group button lets you define a whitelisting group. A whitelisting group specifies a set of IP addresses that should be whitelisted by the embedded CDN.

      If an IP address is whitelisted, the address is never blocked by the embedded CDN.

      Configuring whitelist groups is important if you have an external CDN deployed in front of the embedded CDN. By whitelisting the IP addresses of your external CDN, you ensure that the embedded CDN doesn't misinterpret a large number of requests from a small set of IP addresses as a Denial of Service (DoS) attack.

      When you click Add Group, the Add Group window opens.
    3. Select a value in the Scope field.

      Possible values are as follows:

      • Global: The embedded CDN applies the whitelist to all zones in your organization.
      • Zone: The embedded CDN applies the whitelist only to the current zone.
    4. In the Group Name field, enter a name for the whitelisting group.
    5. In the Records field, enter one or more IP address records.
      You can specify one record per line. A record consists of an IPv4 IP address or a range of IPv4 addresses in CIDR (Classless Inter-Domain Routing) format. If you use CIDR format, the embedded CDN only accepts block sizes of /16 and /24.
    6. Click Validate to validate and save your whitelist group, or Cancel to discard your changes.
  6. In the slider, click Speed.
    1. (Optional) In the Auto Minify section, select one or more of the following options:
      • JavaScript
      • CSS
      • HTML

      These options control if the eCDN removes unnecessary characters (such as whitespace or comments) from JavaScript, CSS, and HTML responses.

      Removing these characters can reduce the amount of data to be transferred and thus improve page load time.

      Even though this feature shouldn't change functionality, you should test your site with minification enabled before you enable it for zones with production traffic.

      Note: The feature only works on eCDN responses. Third-party scripts and code are not minified.
      Note: For cached responses: the cache must expire before the settings are reflected. The eCDN does not separately cache minified responses. Code will only be minified if it is W3C compliant.
    2. (Optional) In the Polish Level section, select one of the following values:
      • Polish Level Off: Doesn't modify image files.
      • Polish Level Basic: Reduces the size of image files without impacting visual quality. This option removes metadata for PNG, GIF, and JPEG files. It also results in lossless compression of PNG and GIF files.
      • Polish Level Basic+JPEG: In addition to the features included in the basic level, the file size of JPEG images is reduced using lossy compression, which can reduce visual quality. Large JPEG images are converted to progressive images. Visitors see an increasingly detailed image as the file is downloaded. The functionality is only applied to images served through the embedded CDN, that is, images served by the Commerce Cloud instance and Dynamic Imaging Service (DIS). Images retrieved from third-party sites are not modified.

      The polish level applies to all images served from hostnames within the zone. It isn't possible to use different polish levels for different images or a device type-specific polish level. Commerce Cloud recommends that you test a new Polish Level with a zone without production traffic before you enable it for a zone with production traffic.

    3. Also in the Polish Level section, you can check WebP for WebP image support.
      Cloudflare supports the WebP image format, which can be used with supported clients for additional performance benefits. See Cloudflare documentation.
  7. In the slider, click Customize.
    1. In the Custom Pages: 500 Class Errors section, enter the URL for an HTML page you want shown when the embedded CDN generates a 500 class error.
      The HTML page must embed the 500 error class token (for example, <p>::CLOUDFLARE_ERROR_500S_BOX::</p>).
    2. In the Custom Pages: 1000 Class Errors section, enter the URL for an HTML page you want shown when the embedded CDN generates a 1000 class error.
      The HTML page must embed the 500 error class token (for example, <p>::CLOUDFLARE_ERROR_1000S_BOX::</p>).
    Click Preview to see what an error page looks like when it's shown to a site visitor. Click Publish to inform the embedded CDN that this page is ready to be used for all subdomains in the zone. To set a new eCDN custom error page, the page template must be made available under a publicly accessible URL. You can use the Commerce Cloud instance for that. During the publishing step, the eCDN downloads the error page template and stores it in their infrastructure. You must repeat the publishing step whenever the template changes.