i’m using the ssl provided by my host but was informed (by my host) that i have to also setup ssl at Cloudflare, so what are the best settings?
note: i want to force ssl for those who visit my website, i.e. i want all addresses to be redirected to https - so if a user types htttp://, www., etc. i don’t the user to get an error screen that the site can’t be reached or isn’t safe, instead i want all requests to be automatically redirected to my https address.
the settings i have so are:
ssl - full (strict)
edge certificates - left alone
custom hostnames - left alone
origin certificates - left alone
always use https - off
http strict transport security (hsts) - disabled
authenticated origin pulls - off
minimum tls version - tls 1.0 (default)
opportunistic encryption - off
onion routing - on
tls 1.3 - enabled
automatic https rewrites - on
disable universal ssl - enabled (button reads: disable universal ssl)
thank you very much for your prompt and very helpful response sandro, i will make the changes now…
a question about hsts settings tho - once i enable hsts i’m given a list of setting, which are best?
enable hsts - on
max age header (max-age) - ?
apply hsts policy to subdomains - ?
preoload - ?
no-sniff header - ?
also, when enabling there’s a caution message:
Caution : If misconfigured, HTTP Strict Transport Security (HSTS) can make your website inaccessible to users for an extended period of time.
how long is an “extended period of time”? also, per your response, why would i ever need to switch off https? and if for some reason i did need to switch it off, what do you mean that it will be very difficult to switch on again?
I would think thats the max-age value from the settings. Might be wrong though
Cant predict the future
No, what I meant - and the warning also refers to - is that your site will be practically hardwired to HTTPS. If you switch HTTPS off and and expect HTTP it might be tricky to convince browsers (which already connected once) to connect to HTTP as they will go straight for - then disabled - HTTPS. You will need to wait until that directive expires and they consider HTTP again.
I suggest that you leave HSTS off for the moment. (Sorry @sandro).
The other settings will force visitors to HTTPS on your site. HSTS is good if someone finds a way to hijack (MITM) your visitors and impersonate your site.
But once you’re confident you’ve got a handle on running your site on HTTPS, you can then enable HSTS, but with a very low Max Age, like a month. But don’t (yet) enable “Include Subdomains.”
Again, leave HSTS alone until you’re very comfortable with how to configure HTTPS for your domain.
No need, I am fully aware that I am a security lunatic
HSTS is a good way to additionally ensure there is no way to not connect in a secure fashion, but that certainly has some disadvantages. Hence my disclaimer and also Cloudflare’s warning.
But I agree, it might be good to initially keep it off until everything else has settled in.
however it’s not working for the subdomain, i.e. www.subdomain.mywebsite.dotcom… instead i’m getting a “This site can’t be reached” page… what i can i do to get the subdomain to behave like the domain? thanks again!
forgive my ignorance, but what’s the 4th level? it seems that my subdomain is on the 3rd level as follows:
home \ domain \ subdomain
also, i was trying to get this resolved with my host before posting here, and they’ve assured me that on their end they can access my subdomain using www or http
just received a ticket from my host telling me that even tho it’s loading on their end:
“The above-mentioned link is still not loading on your end due to the fact that it is in the propagation period due to the recent Cloudflare activation.”
this seems odd to me because the main domain is working fine, i.e. it’s not in the “propagation period”.
still a little fuzzy? are you saying each “section” counts as a level? i.e. www = 4, subdomain = 3, etc.?
and of so, then my host has it wrong, the reason i’m not seeing it isn’t because it’s “still propagating”, instead it’s because it’s 4th level? so what could they be seeing i wonder?
I haven’t read this entire thread, but the issue with that 4th level domain is that the SSL certificate won’t work for anything beyond 3rd level. Through Cloudflare with SSL.
Your origin server might support this, and for HTTP, this limitation doesn’t exist (due to no SSL).
But…You’re forcing HTTPS through Cloudflare, so you’re stuck unless you get a Custom Hostnames certificate for $10/month.
"I haven’t read this entire thread, but the issue with that 4th level domain is that the SSL certificate won’t work for anything beyond 3rd level. Through Cloudflare with SSL.
Your origin server might support this, and for HTTP, this limitation doesn’t exist (due to no SSL).
But…You’re forcing HTTPS through Cloudflare, so you’re stuck unless you get a Custom Hostnames certificate for $10/month."
this is above my pay grade… i’m using my hosts ssl service, asked them if would see any benefit (website speed / loading time) if i use Cloudflare, they highly recommended Cloudflare, but said i would have to configure ssl on the the Cloudflare side.
from this layman’s point of view, it seems that i can just use Cloudflare’s ssl or just my host’s ssl, but instead i’m using 2? or does each ssl secure different connections?
This support article has some diagrams that show the different SSL configurations:
Every server should have a valid SSL certificate: Your origin web server, and Cloudflare’s proxy servers. Your host provides the SSL for your web server, and Cloudflare provides the SSL for their intermediary (proxy) servers.
You should have both for complete end-to-end security.