i’m using the ssl provided by my host but was informed (by my host) that i have to also setup ssl at Cloudflare, so what are the best settings?
note: i want to force ssl for those who visit my website, i.e. i want all addresses to be redirected to https - so if a user types htttp://, www., etc. i don’t the user to get an error screen that the site can’t be reached or isn’t safe, instead i want all requests to be automatically redirected to my https address.
the settings i have so are:
ssl - full (strict)
edge certificates - left alone
custom hostnames - left alone
origin certificates - left alone
always use https - off
http strict transport security (hsts) - disabled
authenticated origin pulls - off
minimum tls version - tls 1.0 (default)
opportunistic encryption - off
onion routing - on
tls 1.3 - enabled
automatic https rewrites - on
disable universal ssl - enabled (button reads: disable universal ssl)
thank you very much for your prompt and very helpful response sandro, i will make the changes now…
a question about hsts settings tho - once i enable hsts i’m given a list of setting, which are best?
enable hsts - on
max age header (max-age) - ?
apply hsts policy to subdomains - ?
preoload - ?
no-sniff header - ?
also, when enabling there’s a caution message:
Caution : If misconfigured, HTTP Strict Transport Security (HSTS) can make your website inaccessible to users for an extended period of time.
how long is an “extended period of time”? also, per your response, why would i ever need to switch off https? and if for some reason i did need to switch it off, what do you mean that it will be very difficult to switch on again?
I would think thats the max-age value from the settings. Might be wrong though
Cant predict the future
No, what I meant - and the warning also refers to - is that your site will be practically hardwired to HTTPS. If you switch HTTPS off and and expect HTTP it might be tricky to convince browsers (which already connected once) to connect to HTTP as they will go straight for - then disabled - HTTPS. You will need to wait until that directive expires and they consider HTTP again.
however it’s not working for the subdomain, i.e. www.subdomain.mywebsite.dotcom… instead i’m getting a “This site can’t be reached” page… what i can i do to get the subdomain to behave like the domain? thanks again!
"I haven’t read this entire thread, but the issue with that 4th level domain is that the SSL certificate won’t work for anything beyond 3rd level. Through Cloudflare with SSL.
Your origin server might support this, and for HTTP, this limitation doesn’t exist (due to no SSL).
But…You’re forcing HTTPS through Cloudflare, so you’re stuck unless you get a Custom Hostnames certificate for $10/month."
this is above my pay grade… i’m using my hosts ssl service, asked them if would see any benefit (website speed / loading time) if i use Cloudflare, they highly recommended Cloudflare, but said i would have to configure ssl on the the Cloudflare side.
from this layman’s point of view, it seems that i can just use Cloudflare’s ssl or just my host’s ssl, but instead i’m using 2? or does each ssl secure different connections?
This support article has some diagrams that show the different SSL configurations:
Every server should have a valid SSL certificate: Your origin web server, and Cloudflare’s proxy servers. Your host provides the SSL for your web server, and Cloudflare provides the SSL for their intermediary (proxy) servers.
You should have both for complete end-to-end security.