What is the correct CloudFlare configuration to use once certs are installed?


#1

I have https://domain.com/ which is a word press blog. www.domain.com is an alias of it that should redirect to it, and it does, or at least it did prior to installing the certs.

https://subdomain.domain.com is a custom PHP site.

Before installing the cert I had HTTPS rewriting set to “ON” in the CloudFlare plugin settings and CloudFlare’s SSL set to “Flexible”

I am also struggling with an infinite redirect problem, this topic seems to deal with the same problem but I am not clear on exactly what needs to be changed to what in the config files to fix it.


#2

If you have Let’s Encrypt certificates for all of your sites going through CloudFlare, you can turn on “Full (Strict)” in CloudFlare. “Strict” requires that your server have a valid, trusted certificate, such as one issued from Let’s Encrypt, however there is still a decrypt-and-reencrypt step on CloudFlare’s servers.

If you have any site using a self-signed certificate, use “Full”; data is still encrypted between CloudFlare and your servers, but CloudFlare will happily accept the untrusted certificate your server is using. Again, as with “Full (strict)”, data is still decrypted and then reencrypted on CloudFlare’s servers.

The “Flexible” option says that CloudFlare should offer its certificates to encrypt data between your visitors and CloudFlare’s systems, but CloudFlare will not encrypt communications to your servers. Since you have certificates now, you don’t need to use this anymore (and really didn’t before, either, as you could have just quickly generated a self-signed certificate).


#3

I guess I have let’s encrypt certificates for all my sites… When I installed it I checked the box to enable to enable it for: www.domain.com, domain.com and subdomain.domain.com

www. is not really used it’s just an alias/redirect for domain.com.

Does that mean I have certificates for all?

Is it a problem that I only have 1 IP on this server?


#4

Essentially the infinite redirect loop issue comes down to the fact that Flexible SSL is in use. When Flexible SSL is being used, the connection from the origin to CloudFlare is under plaintext HTTP. As such, the server cannot use ordinary methods to determine whether the connection is under HTTP or HTTPS (such as checking the SSL environment variable). As such you get stuck in a redirect loop.

There are a few ways to resolve this.

A example of the last option would be adding this to your .htaccess file:

SetEnvIf X-Forwarded-Proto https HTTPS=on

Alternatively you can do it at the start of your PHP script using the following snippet:

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
    $_SERVER['HTTPS']='on'; 
}

#5

If a web browser might visit it (even just to follow the redirect to the other site), it can show an error if the certificate isn’t valid, so it was correct to ask for certificates including for names used only to redirect.

You can inspect the certificate (if you have a copy as a file) or from inside a web browser (if you bypass CloudFlare or switch it off temporarily) to see the list of “Subject Alternative Names” which should match the list of names you requested, unless something went wrong. If you look at a Cloudflare certificate, it will be for many different names (Cloudflare saves money / effort by sharing the certificates on their cheap/ free plan between several customers) and issued from Comodo rather than Let’s Encrypt.

You can also find your certificate in a Log Monitor, such as https://crt.sh/ by typing in a name you know, and view the list of Subject Alternative Names in crt.sh’s view of the certificate.

Having only a single IP means that browser visitors to your site must use SNI (Server Name Indication) to say which site they expected to visit. Any modern browser is capable of this, worry only if you need to make it work for very old systems such as Windows XP, very old Android phones, or similar, or if you need to make it work with a special piece of third party software that you know can’t do SNI. Even without SNI, things will work perfectly so long as you use only one certificate on the IP address, for all the names it answers for; the purpose of SNI is to select a certificate, and if you’ve only got one there’s no selection to make so no problem.


#6

Would it not be better to just set SSL to Full (Strict)?

If I have certificates on the server, doesn’t that eliminate the need for Flexible SSL entirely?

Thanks.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.