Almost Always Use HTTPS

Users should always have a valid SSL certificate on their origin server. There are advantages to using a certificate from a valid certificate authority (vs. a self signed certificate of their own create or one from ).

When Cloudflare added the Always Use HTTPS option it was an ‘easy button’ for advancing the use of TLS everywhere. It also had the added benefit of saving the use of a page rule.

As the web has evolved the process for automating/ordering a TLS certificate has evolved along with it. Given the new more powerful rules engine Cloudflare has implemented for edge processing I’d like to suggest that the easy button evolve as well.

Enter: Almost Always Use HTTPS

This function would be an extension to the existing functionality (obviously some code logic would need to change) and would allow a customer to choose to allow HTTP requests for http://example.com/.well-known/acme-challenge/* and any other common paths that require HTTP vs. HTTPS to function (if they exist).

From the Let’s Encrypt challenge types page:

Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex configuration decisions, it’s useful to know more about them. If you’re unsure, go with your client’s defaults or with HTTP-01.

HTTP-01 challenge
This is the most common challenge type today. Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/

In the community forums it is a fairly common issue that customers can’t issue certificates with their hosting provider because they utilize this mechanism by default to issue valid origin certificates. In order to work around this the customer either needs to their record to allow the request direct to the origin or they need to create a redirect rule with an appropriate exception pattern. Both cause friction, introduce the opportunity for misconfiguration or other security risks to the sites.

The Easy Button has value for an average user and this minor enhancement would allow a straightforward mechanism for bypass where the risk to the origin is likely exceptionally low.

I have SOP templates for rules that facilitate this, at least with Let’s Encrypt. I’m fairly certain that AutoSSL needs similar accommodation, although I have never looked into the required syntax since I don’t use it.

We know from recurring forum topics that many users are new to SSL and do know the methods used by ACME or AutoSSL, and will certainly not have created templates to help them make their Cloudflare settings compatible with their automated CA issuance procedures.

Incorporating this logic into the defaults of the current Always Use HTTPS setting would bring tangible value to both Cloudflare users and Cloudflare itself.

This is why I entirely gave up on http-01 challenge and mod_md and use Certbot with the Cloudflare DNS plugin. It’s easier to do that than it is to make http-01 work through Cloudflare.