Best Crypto Settings For Free Account?

robert5 · 2018-12-08 15:45:05 UTC

i’m using the ssl provided by my host but was informed (by my host) that i have to also setup ssl at cloudflare, so what are the best settings?

note: i want to force ssl for those who visit my website, i.e. i want all addresses to be redirected to https - so if a user types htttp://, www., etc. i don’t the user to get an error screen that the site can’t be reached or isn’t safe, instead i want all requests to be automatically redirected to my https address.

the settings i have so are:

ssl - full (strict)
edge certificates - left alone
custom hostnames - left alone
origin certificates - left alone
always use https - off
http strict transport security (hsts) - disabled
authenticated origin pulls - off
minimum tls version - tls 1.0 (default)
opportunistic encryption - off
onion routing - on
tls 1.3 - enabled
automatic https rewrites - on
disable universal ssl - enabled (button reads: disable universal ssl)

do i need to make any changes to these settings?

thanks very much!

sandro · 2018-12-08 15:53:05 UTC

Should be on.

Should be on too, though do note that it will be difficult to switch off HTTPS in this case - should that need ever arise.

1.1 is probably better

robert5 · 2018-12-08 16:03:10 UTC

thank you very much for your prompt and very helpful response sandro, i will make the changes now…

a question about hsts settings tho - once i enable hsts i’m given a list of setting, which are best?

enable hsts - on
max age header (max-age) - ?
apply hsts policy to subdomains - ?
preoload - ?
no-sniff header - ?

also, when enabling there’s a caution message:

Caution : If misconfigured, HTTP Strict Transport Security (HSTS) can make your website inaccessible to users for an extended period of time.

how long is an “extended period of time”? also, per your response, why would i ever need to switch off https? and if for some reason i did need to switch it off, what do you mean that it will be very difficult to switch on again?

thanks again sandro!

sandro · 2018-12-08 16:07:28 UTC

I’ll leave this to someone else

Thats exactly what I was warning about earlier.

I would think thats the max-age value from the settings. Might be wrong though

Cant predict the future

No, what I meant - and the warning also refers to - is that your site will be practically hardwired to HTTPS. If you switch HTTPS off and and expect HTTP it might be tricky to convince browsers (which already connected once) to connect to HTTP as they will go straight for - then disabled - HTTPS. You will need to wait until that directive expires and they consider HTTP again.

sdayman · 2018-12-08 16:21:36 UTC

I suggest that you leave HSTS off for the moment. (Sorry @sandro).

The other settings will force visitors to HTTPS on your site. HSTS is good if someone finds a way to hijack (MITM) your visitors and impersonate your site.

But once you’re confident you’ve got a handle on running your site on HTTPS, you can then enable HSTS, but with a very low Max Age, like a month. But don’t (yet) enable “Include Subdomains.”

Again, leave HSTS alone until you’re very comfortable with how to configure HTTPS for your domain.

sandro · 2018-12-08 16:26:44 UTC

No need, I am fully aware that I am a security lunatic

HSTS is a good way to additionally ensure there is no way to not connect in a secure fashion, but that certainly has some disadvantages. Hence my disclaimer and also Cloudflare’s warning.

But I agree, it might be good to initially keep it off until everything else has settled in.

robert5 · 2018-12-08 16:45:59 UTC

thank you very much gentlemen, i’ve set everything as you recommended!

one thing tho -

if i enter www.mywbsite.dotcom or http://www.mywebsite.dotcom i’m immediately directed to https://www.mywebsite.dotcom, which is awesome, exactly what i want.

however it’s not working for the subdomain, i.e. www.subdomain.mywebsite.dotcom… instead i’m getting a “This site can’t be reached” page… what i can i do to get the subdomain to behave like the domain? thanks again!

sandro · 2018-12-08 16:48:51 UTC

Anything on the fourth-level (on .com at least) is not supported by default by Cloudflare. You’d need a paid dedicated certificate for that.

robert5 · 2018-12-08 17:01:02 UTC

forgive my ignorance, but what’s the 4th level? it seems that my subdomain is on the 3rd level as follows:

home \ domain \ subdomain

also, i was trying to get this resolved with my host before posting here, and they’ve assured me that on their end they can access my subdomain using www or http

robert5 · 2018-12-08 17:03:54 UTC

edit -

just received a ticket from my host telling me that even tho it’s loading on their end:

“The above-mentioned link is still not loading on your end due to the fact that it is in the propagation period due to the recent Cloudflare activation.”

this seems odd to me because the main domain is working fine, i.e. it’s not in the “propagation period”.

sandro · 2018-12-08 17:04:16 UTC

4.3.2.1 such as www.subdomain.mywebsite.dotcom

robert5 · 2018-12-08 17:09:44 UTC

still a little fuzzy? are you saying each “section” counts as a level? i.e. www = 4, subdomain = 3, etc.?

and of so, then my host has it wrong, the reason i’m not seeing it isn’t because it’s “still propagating”, instead it’s because it’s 4th level? so what could they be seeing i wonder?

sandro · 2018-12-08 17:41:12 UTC

Precisely.

robert5 · 2018-12-08 17:52:58 UTC

thanks!

so then my host is full of beans? there’s no way they can see the subdomain using www or http?

sandro · 2018-12-08 17:55:29 UTC

If it resolves fine for you DNS propagation should not have any role in this case.

sdayman · 2018-12-08 17:55:50 UTC

I haven’t read this entire thread, but the issue with that 4th level domain is that the SSL certificate won’t work for anything beyond 3rd level. Through Cloudflare with SSL.

Your origin server might support this, and for HTTP, this limitation doesn’t exist (due to no SSL).

But…You’re forcing HTTPS through Cloudflare, so you’re stuck unless you get a Custom Hostnames certificate for $10/month.

robert5 · 2018-12-08 18:06:10 UTC

"I haven’t read this entire thread, but the issue with that 4th level domain is that the SSL certificate won’t work for anything beyond 3rd level. Through Cloudflare with SSL.

Your origin server might support this, and for HTTP, this limitation doesn’t exist (due to no SSL).

But…You’re forcing HTTPS through Cloudflare, so you’re stuck unless you get a Custom Hostnames certificate for $10/month."

this is above my pay grade… i’m using my hosts ssl service, asked them if would see any benefit (website speed / loading time) if i use cloudflare, they highly recommended cloudflare, but said i would have to configure ssl on the the cloudflare side.

from this layman’s point of view, it seems that i can just use cloudflare’s ssl or just my host’s ssl, but instead i’m using 2? or does each ssl secure different connections?

robert5 · 2018-12-08 18:06:48 UTC

“If it resolves fine for you DNS propagation should not have any role in this case.”

not sure i understand this?

sdayman · 2018-12-08 22:06:39 UTC

This support article has some diagrams that show the different SSL configurations:

Every server should have a valid SSL certificate: Your origin web server, and Cloudflare’s proxy servers. Your host provides the SSL for your web server, and Cloudflare provides the SSL for their intermediary (proxy) servers.

You should have both for complete end-to-end security.

robert5 · 2018-12-09 17:35:10 UTC

thanks sdayman, very helpful! would have replied sooner but my new user status cut me off at 20 posts.