قالب وردپرس درنا توس
Home / Tips and Tricks / Using CloudFlare SSL / TLS configurations – CloudSavvy IT

Using CloudFlare SSL / TLS configurations – CloudSavvy IT



CloudFlare

It is almost always necessary and recommended to protect your website via an SSL certificate. This not only increases your website SEO, but it also ensures your visitors’ trust in your website. Here we examine what CloudFlare offers in terms of SSL / TLS, and how you can take advantage of these options to secure your website and increase performance.

CloudFlare has innovated in the security space for many years and has continuously worked to make both the end user and the developer easier. One of the first companies to offer a free SSL certificate to any website, CloudFlare has also expanded its offerings, technical sophistication and security settings.

CloudFlare SSL / TLS package

CloudFlare offers several different capabilities. Just understanding which one is most meaningful to you is the first step.

Universal SSL

One of the first SSL offers and the most popular, Universal SSL is the free offer from CloudFlare. Provided that CloudFlare is your authoritative DNS provider (necessary to take full advantage of CloudFlare), a new Universal SSL Certificate will be issued within 1

5 minutes of domain activation. There are restrictions on the free offer:

  • Not compatible with all versions of browsers and operating systems.
  • Universal SSL offers a shared certificate, which means you can see other customers’ domain names in the subject options.
  • Covers only first-level subdomains (ie dev.www.example.com does not work with SSL).

Advanced Certificate Manager (formerly dedicated SSL)

CloudFlare recently launched the Advanced Certificate Manager. For $ 10.00 per month, you can generate your certificates with some unique features:

  • Configurable Subject Options (SANs) to cover, for example, a second tier subdomain [dev.www.example.com]()
  • Removes CloudFlare tagging from the certificate
  • Adjusts the life of a certificate and checks encryption suites

This can be enabled by navigating to the SSL / TLS tab from a CloudFlare domain and clicking Order Advanced Certificate.

Order advanced certificate

Custom SSL (corporate and corporate customers only)

This option allows a customer to upload their certificate that they may have purchased or created separately. This usually applies to customers with Extended Validation (EV) or Organization Validated (OV) certificates. Self-signed certificates that are not signed by a valid issuer do not work here.

Keyless SSL (corporate customers only)

Finally, the Keyless SSL option is an advanced configuration designed for companies that have policies that restrict the control of a certificate’s private key. This process adds some latency to the request, as the key is stored on a customer-controlled key server that CloudFlare will need to contact to serve the content correctly.

Origin Server Certificate

One of the advantages of Universal SSL was that you could encrypt browsers / client traffic to CloudFlare but not necessarily from CloudFlare to an Origin server (web hosting). This meant for many web hosts, which were not properly set up to handle certificates, that a website owner would still be able to serve encrypted traffic to a web browser.

This is not entirely secure, as traffic from CloudFlare to a web host would be unencrypted and could be read with a man-in-the-middle type attack. To alleviate this, you have a few options.

  • Flexible – Default option without encryption of the Origin server
  • Full – Original server encryption but with a self-signed certificate (ie do not buy a certificate)
  • Full (Strict) – Validation that the Origin server uses a correctly signed certificate

With the Full option, there are a few more ways to make this work properly. ”

  • Let’s encrypt certificates – By using the free SSL certificates offered by Let’s Encrypt, you will have a valid certificate that encrypts the connection between your Origin server and CloudFlare.
  • CloudFlare Origin CA Certificate – Perhaps even easier is the ability to use the Origin Certificate feature in CloudFlare to create a certificate, which you can download and install on your web host, that CloudFlare will trust.

CloudFlare SSL / TLS configurations

Now that you understand how CloudFlare SSL / TLS works for a particular domain, let’s explore some of the options available to customize and secure a customer’s experience. These can be changed but have generally only been added over the years.

Always use HTTPs

A simple switching option forces everyone HTTP requests that a 301 redirect be returned to the equivalent HTTPS URL. This is domain-wide and if you need a more targeted rule, always use the HTTPS page rule to target a specific route.

HTTP Strict Transport Security (HSTS)

HSTS is a long topic with many considerations, but this setting adds a title to a request that allows a site to specify and implement a client browser security policy. It helps secure a website from many different types of attacks.

If SSL is disabled at any time, your visitors may lose access to your site during the cached period max-age headings, or until HTTPS is reset and an HSTS header with the value 0 is served.

Minimum TLS version

In this day and age, it is strongly recommended that a minimum version of TLS 1.2 used, as older versions are subject to attacks. The latest version, 1.3 is not widely accepted yet, so it is not advisable to set it as the smallest version.

Opportunistic encryption

Not intended to replace HTTPs, this setting tells browsers that an encrypted version of the Web site is available for other protocols, such as HTTP / 2. This should be used with a standard SSL / TLS configuration.

TLS 1.3

This is the latest version of the TLS protocol, within which there are many improvements. This version is still not widely accepted and blocked by some countries, so it is wise to enable but not trust this version of the protocol.

Automatic HTTPS rewrites

To help solve problems with mixed content, ie. a non-HTTPS link within an HTTPS page, you can use CloudFlare to rewrite page content before reaching a customer to fix those links. This is not perfect but catches many inconsistent links. Ideally, the content should be fixed.

Monitoring the transparency of certificates

A newer beta feature, this sends email alerts to an account holder when a new certificate is issued for that particular domain. It helps to act as an early warning system if a bad actor tries to issue a certificate for your domain.

Disable Universal SSL

Finally, you have the option to disable Universal SSL completely. This is not usually used unless you have a very specific need.

Conclusion

CloudFlare offers comprehensive features and capabilities for securely and efficiently managing website certificates. CloudFlare is constantly adding new features, both to the free offers and paid options. For SSL and security needs, it’s hard to beat CloudFlare, especially with their free offering!


Source link