CloudFlare’s been pushing SSL for a while as a new feature. We all know that SSL is a great idea, that any time you have someone logging in, it should be secure. If you’re handling money, it should be secure. If you’re taking any personal information, for god’s sack (sic), make it secure!
A major problem with this has often been the cost overhead. You can self-sign your certificates, but that pops up with other errors for people. Really what we want is a simple, non-super-expensive, way to have security where and when we need it. Until Let’s Encrypt gets its kick off later this year (and probably for another year after that), it’s complicated and expensive to set up shared hosts with certificates, even if you use SNI.
Enter CloudFlare and their bold proclamation that they’re going to provide free One-Click SSL for everyone, even their free-plan users. This is great! Except that it doesn’t work quite right.
First off, if you use the flexible SSL plan, the one that doesn’t change your URL to HTTPS, then you need to use a plugin line CloudFlare Flexible SSL. Or you can just toss this into your wp-config.php:
#SSL if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') { $_SERVER['HTTPS']='on'; } else { $_SERVER['HTTPS'] = false; }
Secondly, if you’re not actually changing the URL to SSL, you’ve got a problem. I don’t want my users to hit https all the time, not for all my sites. And all the reasons we don’t use https everywhere aside, it’s something to keep my running costs down.
My rule is that SSL should be used anywhere where you are transmitting information that should not be public, and this suddenly was an issue when I looked at the levels of security. The one I’d want would be Full SSL, as it “Encrypts the connection between your site visitors and CloudFlare, and from CloudFlare to your server.”
And there are two types of Full SSL, one of which is ‘Strict’ and requires you to have your own SSL cert, be it purchased or self-signed.
The obvious implications here, however, are that everyone would see HTTPS in the URL, and I don’t really want that. Of course, that’s not what they meant. What they mean is that IF you use https in the domain, then CloudFlare double encrypts. Otherwise it remains http for the domain.
So basically normal SSL. And this is what I want, because I do have a purchased SSL cert for the domain in question and I do want to be secure all down the line. If I was using a self-signed certificate, I’d use the Full SSL (not strict) and that would work as well.
One important thing to keep in mind is that if you chose to use the Flexible SSL, you’re not giving yourself login protection! As they point out, this gives you an encrypted connection between your site visitors and CloudFlare, but not from CloudFlare to your server. This greatly reduces the possibility of being sniped or sniffed, but the content from CF to use isn’t secured, which means if you use Flexible SSL for your store, you’re a moron.
With that in mind, what good is it? Well you can be promised security throughput for your domain, and that, if you’re using CloudFlare, is a great thing.
Comments
11 responses to “CloudFlare’s SSL”
Heads Up! “for god’s sack”? should be for God’s sake
@David Radovanovic: No it was supposed to be sack 🙂 it’s a joke to about 10 people.
My earlier comment was incorrectly formatted. Please delete that one. And here’s the correct one.
Cool article! :star: 🙂
I would like to suggest a correction in the article. The correct term for the ‘URL’ would be ‘URI’. Refer: https://en.wikipedia.org/wiki/Uniform_resource_identifier
🙂
Also, why don’t you use Disqus comment system?
@Robin Mathew Rajan: Because I don’t like ads in my comments and I’m not a disqus fan.
Hey Ipstenu, this was a good article, thanks =)
It was my understanding that ‘SSL FULL’ requires you to have any SSL cert at server, validated (purchased) or self-signed. The ‘SSL STRICT’ CF setting requires that you have a validated (meaning purchased) certificate at your server. Is this not so?
Also, I thought it’d nice to mention that CF also now supports HTST 🙂
I am using CF with my multisite networks to great effect (I love running my own budget mirror CDNs through CF too!) in concert with SNI at server and the combo is quite flexible and allows for some very (imho) cool configurations =)
Cheers, Max
@Max: It’s rather confusing and I’m not sure. I asked in a ticket and got a bog-standard reply from some drone who didn’t read.
https://www.cloudflare.com/ssl just says “Requires SSL on your server” for Full SSL and no mention of a cert, while the strict section clearly states “Requires a valid SSL cert”
@Ipstenu (Mika Epstein):
hmm… you know, I could CF intending to mean that ‘SSL Full’ requires that the server be able to handle requests using SSL
In which case “valid” for ‘SSL Strict’ would mean a properly generated and installed certificate that is not expired… (meaning it is immaterial whether it is purchased or self-signed – perhaps the key is difference between terms “valid” and “validated” in this context).
This especially makes sense knowing that CF reserves further services to their Business-grade plans for working with validated SSL (for if you need EV for instance).
Thoughts? Cheers, Max
@Max: It’s possible, though I don’t understand why they’d accept an invalid cert at any stage in the process. 😕
Maybe they just need to define validity.
@Ipstenu (Mika Epstein): they have clarified this nicely in the help section at Crypto>SSL>Help
For a Multisite w/ Domain Mapping this means that mapped domains can use CF SSL Full when only network primary has SSL at server (and that SSL can be either self-signed or purchased from CA).
Also, using SSL Full means no more redirect loop w/o need for adding
#SSL
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS']='on';
} else {
$_SERVER['HTTPS'] = false;
}
to wp-config, though may need to do something similar for
define('FORCE_SSL_ADMIN', true);
@Max: Thank you for never giving up! And never letting us down! 😆
err, so evidently HTST is some kinda dairy thing… pretty sure I meant HSTS 😛