قالب وردپرس درنا توس
Home / Tips and Tricks / Using CloudFlare SSL / TLS Configurations – CloudSavvy IT

Using CloudFlare SSL / TLS Configurations – CloudSavvy IT



CloudFlare

It is almost always necessary and advisable to secure your website with an SSL certificate. This not only increases the SEO of your website but also ensures the trust of your visitors in your website. Here’s what CloudFlare has to offer when it comes to SSL / TLS, and how you can use these options to secure your site and improve performance.

CloudFlare has been innovating in security for many years and has continually worked to simplify both the end-user and developer experience. CloudFlare is one of the first companies to offer a free SSL certificate for a site. CloudFlare has also expanded its offering, technological sophistication and security settings.

CloudFlare SSL / TLS packages

CloudFlare offers different capabilities. Just understanding which one makes the most sense for you is the first step.

Universal SSL

As one of the first and most popular SSL offers, Universal SSL is the free offering from CloudFlare. Provided that CloudFlare is your authoritative DNS provider (required to get the most out of CloudFlare), a new universal SSL certificate will be issued within 1

5 minutes of activating the domain. The free offer has restrictions:

  • Not compatible with all versions of browsers and operating systems.
  • Universal SSL offers a shared certificate. This means you may see other customers’ domain names in the alternate subject names.
  • Only covers first level subdomains (i.e. dev.www.example.com does not work with SSL).

Advanced Certificate Manager (previously dedicated SSL)

CloudFlare recently introduced the Advanced Certificate Manager. For $ 10 a month, you can create your certificates with some unique features:

  • Configurable alternative subject names (SAN), for example to cover a second-level subdomain [dev.www.example.com]()
  • Removes the CloudFlare branding from the certificate
  • Adjusts the lifetime of certificates and controls cipher suites

This can be activated by navigating to the SSL / TLS tab within a CloudFlare domain and clicking on Order Advanced Certificate.

Order an extended certificate

Custom SSL (only for business and corporate customers)

This option allows a customer to upload their certificate, which they may have purchased or created separately. This usually applies to customers with Extended Validation (EV) or Organization Validated (OV) certificates. Self-signed certificates that are not signed by a valid certification authority will not work here.

Keyless SSL (only for corporate customers)

Finally, the Keyless SSL option is an advanced configuration for companies whose policies limit control over a certificate’s private key. This process adds some latency to the request as the key is stored on a customer controlled key server that CloudFlare must contact to properly serve the content.

Origin Server Certificates

One of the benefits of Universal SSL was that you could encrypt browser / client traffic to CloudFlare, but not necessarily from CloudFlare to an Origin server (web host). For many web hosts that were not properly set up to manage certificates, this meant that a website owner could still serve encrypted traffic to a browser.

This is not perfectly secure as the traffic from CloudFlare to a web host would be unencrypted and could be read using a man-in-the-middle attack. To mitigate this, you have a few options.

  • Flexible – Standard option without Origin server encryption
  • Full – Origin server encryption, but with a self-signed certificate (i.e. without purchasing a certificate)
  • Full (strict) – Verification that the Origin server is using a properly signed certificate

With the Full (Strict) option there are a few additional ways to make this work properly. “

  • Let’s encrypt the certificate – If you are using Let’s Encrypt’s free SSL certificates, you will have a valid certificate that will encrypt the connection between your Origin server and CloudFlare.
  • CloudFlare Origin CA certificate – Perhaps even easier is the ability to use CloudFlare’s Origin Certificate feature to create a certificate that you can download and install on your web host that CloudFlare trusts.

CloudFlare SSL / TLS configurations

Now that you understand how CloudFlare SSL / TLS works for a given domain, let’s examine some of the options available to customize and secure the customer experience. These are subject to change, but have generally only been added over the years.

Always use HTTPs

A simple toggle switch option forces everyone HTTP requests to return a 301 redirect to the equivalent HTTPS Url. This is domain wide. If you need a more targeted rule, use the Always use HTTPS page rule to target a specific route.

HTTP Strict Transport Security (HSTS)

HSTS is a long and thought-provoking topic, but this setting adds a header to a request that a website can use to specify and enforce a security policy in client web browsers. It helps protect a website from many different types of attack.

If SSL is disabled at any time, your visitors may lose access to your site for the duration of the cache max-age Header or until HTTPS is restored and an HSTS header with the value of 0 will be served.

Minimum TLS version

In this day and age it is highly recommended to use a minimum version of TLS 1.2 is used because older versions are subject to attack. The latest version, 1.3 is not yet widely used, so it is not advisable to set this as the minimum version.

Opportunistic encryption

This setting is not a substitute for HTTPs and tells browsers that an encrypted version of the site is available for other protocols such as HTTP / 2. This should be used in conjunction with a regular SSL / TLS configuration.

TLS 1.3

This is the latest version of the TLS protocol that has many improvements in it. This version is not yet widely used and blocked in some countries. It is therefore advisable to enable this protocol version, but not to trust it.

Automatic HTTPS rewrites

To troubleshoot mixed content issues such as: For example, a non-HTTPS link within an HTTPS page, you can use CloudFlare to rewrite page content before reaching a customer to fix those links. This isn’t perfect, but it does catch a lot of inconsistent links. Ideally, the content should be determined by yourself.

Monitoring of certificate transparency

As a newer beta feature, email notifications will be sent to an account holder when a new certificate is issued for that particular domain. It is helpful to act as an early warning system when a flawed actor tries to issue a certificate for your domain.

Disable Universal SSL

Finally, you have the option to completely disable Universal SSL. This is generally not used unless you have a specific need.

Conclusion

CloudFlare offers extensive functions and capabilities for the secure and effective management of site certificates. CloudFlare is constantly adding new functions, both to the free offers and to the paid options. For SSL and security needs, CloudFlare is hard to beat, especially with their free offering!


Source link