A few questions before adding sites


#1

I have two sites hosted with Hostgator - a main domain - glamourdaze.com and an add on domain - vintagemakeupguide.com
which I wish to add to Cloudfare Free plan.

Is it ok if I ask a few ( I hope not stupid) questions?

  1. Do I add just the main domain or do I need to add the two sites separately?

Neither site has the https protocol yet.

  1. Is it ok to get the sites up and running through Cloudfare without them?

Before adding my sites to Cloudfare I was going to purchase an annual ssl cert for each from Hostgator.
My add on domain vintagemakeupguide.com sells eguides via Paypal, but I do not accept credit card info on the site itself.

  1. What type of SSL cert do I need to get - flexible or dedicated and do I understand correctly that I can purchase 2 dedicated ssls from Cloudfare on the free plan?

I have wp total cache enabled on both sites ( page cache only)
At what point do I add Cloudfare as CDN in the cache plugin settings?

All my images for glamourdaze.com are hosted on a sub domain image.glamourdaze.com.
The site is very image heavy and is its most popular feature.

  1. Will the Automatic HTTPS Rewrite feature redirect these to open as https urls?

  2. When https is enabled, do I need to add an ‘s’ in Wordpress settings )wordpress address url/ Site address url)

  3. I’ve only recently been reading up on hotlinking of images and I’ve discovered that my images are being hotlinked
    a great deal. have not enabled hotlink protection yet on my server side.
    Can I enable it through Cloudfare?

  4. My sites are non www domains. Does this matter? All I want is to see that http change to https

Sorry for all these dumb questions

regards
Stevie McGlinchey


#2

There are no sutpid questions!

Seprately. Just click the “Add Site” button after you logged in to CloudFlare

Yes. Just disable SSL under the crypto tab

The dedicated SSL serves domain.com and *.domain.com. If you need more than this for one domain you should think about a dedicated certificate with custom hostnames.

AFAIRC: yes

Go to “Scrape Shield” and activate the hotlink protection. You can also exclude images from this protection

No. The 2nd level (domain.com) and the 3rd level (*.domain.com) is inculded in the certificate.


#3

No such thing as dumb questions. Deep breath…

1- You’ll need to add both domains to CloudFlare separately if you want both to go through CloudFlare. It does not matter if they are addons/aliases.

2- Yes.

3- You don’t need to purchase a SSL at all. CloudFlare will supply you with the origin certificate (to install at your host) and also the public facing certificate. Start with “Flexible”. Then get the origin certificates squared away. Then change to “Full”.

4- Also (5). Since you’re using wordpress I would not have CF do the redirects for you. Have wordpress do so. Otherwise you can end up in an infinite redirect loop.

6- Sure can.

7- That does not matter.


#4

thanks Mark - by domain.com do you mean http:// and *.domain meaning www ? As I dont look for credit card info directly on my sites, would the Flexible ssl option suffice?

Is there less likelihood of mixed content errors on wordpress with dedicated ssls?


#5

thanks Jules - I understood that the Full ssl option required ssl installed at my server end?


My host told me “In the CloudFlare setup, you’ll need to specify the A record for your website” and then gave me my IP address. Is this referring to the origin certificate business? ( I have no idea what I’m talking about here ! :sweat_smile:

I have wp total cache enabled on both sites ( page cache only)
At what point do I add Cloudfare as CDN in the cache plugin settings?

Do you mean that hotlink protection is not necessary under a CDN? I’m not fully sure as to how much bandwidth these scraper sites consume.


#6

“Full” and “Full Strict” require an SSL at the host/origin. “Full” can use CF’s free supplied origin certificate.

The IP address lets CF know where to get your website from, in order to optimize and send to the browsers. That part has nothing to do with SSL. You enter the A record in the DNS tab.

I would enter CF in the cache plugin settings after you have everything set up and working through CF.

“That does not matter.” was in regards to #7, www vs naked domain names.


#7

*.domain.com is a wildcard for all sub domains on the 3rd level. www. is just a sub domain. So yes :slight_smile:

Don’t use Flexible SSL with WordPress. This will definitely lead to redirect issues. There are ways around it but since the traffic between CloudFlare and your server may not be encrypted and can be sniffed by bad guys.

You should use “Full” at least instead. There’s no need to use a valid SSL on your origin. It could be self-signed, expired… CloudFlare doesn’t verify this and will encrypt all traffic. You should do even if you don’t have credit card details there. There are at least your and possibly others login credentials. Plus that Google ranks sites with SSL higher than unencrypted pages.


#8

thanks Jules - so I should go ahead and purchase two annual SSLs for my two sites offered by my host?
Just to be clear - I can activate full SSL in the Free Plan, if I have two valid SSL certs?
My host offers what they call Single Positive SSLs


#9

many thanks Mark - I presume then my url changes simply from http:// to https://
I had read once that Cloudfare only worked with www domains so I want to be clear I am not changing my url to www.
I think would like to activate Full SSL, after setting up two valid postive SSLs which I will purchase from my host.
Does this change my http url to https then while still serving directly from my host?
Do I understand correctly that I can enable Full SSL on the Free Plan?


#10

You should tell your host you want to install CF’s origin certificate. They are free and last up to 15 years.


#11

thanks Jules - So I can I activate Full SSL under the free plan when I have SSL certs installed on my site?
Do you mean that I need to supply my host with the Origin Certificates before they install SSL?
What is an origin certificate?


#12

Every host is different. You’ll have to tell yours that you want to use CF’s Origin Certificate to secure your site. They can direct you from there.


#13

Why not just hire someone to do it and have it done in ten minutes. Then if you really want to know how it is easy for whoever is doing it to pass along a walk-through of the exact setup.


#14

Because learning is fun, free, and rewarding. Hiring someone is expensive, and often goes beyond what one is willing to spend to solve a problem.


#15

You both make valid points.
While I think a lot of these questions could have been learned by reading documentation that already exists, I love helping people regardless, and don’t assume the docs were not previously read.


#16

thanks Jules -
I have read quite a lot this past week buts its a crash course - hence the stupid questions. I really appreciate you taking the time to reply to them !

My main domain ( glamourdaze) has all its images hosted on a sub domain. To solve mixed content errors for these, my current understanding is that I should get a multidomain or wildcard SSL installed on the main domain and this sub domain.

You suggest that I use CF’s free supplied origin certificate and then enable Full SSL

What is the advantage or difference of Origin CA to a SSL Cert installed on my server by host?
Does Cloudfares Origin Certificate you suggest I have installed by my host, also secure my images on this sub domain too? ( image.glamourdaze ).
Is this created automatically when I add my site to Cloudfare and where do I locate it?

Since I am using Wordpress you suggest I do not have CF do the redirects
What section are the redirects normally handled from here?

You then say to have Wordpress do the redirects for me to avoid a redirect loop.
How do I impliment that? Two plugins - Really Simple SSL and Search and Replace
are mentioned a lot

Finally I have a seldom used add on domain. I thought I might add this site to play around with. I presume I can switch the nameservers for this domain to Cloudfares without affecting my main domain?


#17

What a great website!

You don’t need to host all images on a subdomain, but it can still work. You don’t need a fancy SSL certificate. Any first level subdomain will match the *.example.com SSL certificate Cloudlfare users.

Are you using cPanel? cPanel should be able to add SSL to your server (Auto SSL). Have you tried this? It would make life so much easier if you can not use Flexible.

An Origin SSL certificate is free and is a good option if your host only charges for third party certificates, but would let you install your own.

An add-on domain is a completely separate domain here at Cloudflare. I have multiple domains in my account, so an add-on would just be another one (for you).


#19

I’m not big on wordpress but I’ve wrestled with it before. If you can find a plugin to handle the redirects that’s great. Wordpress is a stickler for the domain name including protocol (http/s). After you set up SSL you have to change that value in wordpress (or us a plugin).


#20

This topic was automatically closed after 14 days. New replies are no longer allowed.