Cloudflare and ssl


#1

Hi there,

I was wondering if someone can please help with some SSL and free CloudFlare info. We put all our clients on CloudFlare but most of them opt for the free service. With the Google padlock warning coming in, we are going to, I think, need to get these clients using the free CloudFlare to purchase the $5 per month Dedicated SSL Certificate option. Is this correct?

As currently, even though we are forcing SSL of their accounts through CloudFlare, it does not fully fix the padlock as it misses some background images. If you have a look at one of our client’s sites here:

www.arcadiacottages.com.au

You will see what I mean.

I think most of our clients would prefer this $5 per month option, rather than setting up a certificate at their hosting server end, but we do want it to work if we ask them to buy them. Would getting one of these certificates fix the current issue we are having with our client’s sites?

We have a lot doing the same thing.

Thanks very much !

Paula


#2

Hi @dance!

So, the issue in your case is not the actual certificate (you can still buy the Dedicated Certificate for 5$/month, to have a dedicated domain to just their domain). I would recommend a few steps:

  1. change all links to your own website to relative, so that they are protocol agnostic (if HTTPS they will be HTTPS), as your website seems to be on Wordpress you can probably use a plugin that does this, just do not do any HTTP -> HTTPS redirects on the server side, particularly as your using Flexible SSL, which will create a redirect loop – This is the main issue in your website.
  2. set Always Use HTTPS in the Crypto tab, it should force everything to HTTPS no matter the file requested.
  3. install an Origin Certificate (Cloudflare provides free ones, valid for up to 15 years) that they trust so you ca upgrade to a Full (Strict) SSL and have the whole connection encrypted.
  4. set a Content-Security-Policy header to prevent unknown connections and set it to upgrade-insecure-requests or block-all-mixed-content at least. Do read up and understand this fully as it can cause issue if misconfigured. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

#3

haha, thanks heaps matteo, that’s great but it seems a bit frightening :slight_smile: do you mind assessing my interpretation to make sure I have it right please?

  1. On the arcadia site above, I use a plugin to make sure all urls, images or otherwise, are https:// by changing - http://arcadiacottages.com.au/ - to https://arcadiacottages.com.au/ - in all instances in the WP database?
    (we use ‘better search and replace’ btw)

The second part of this, I am a bit unsure. Currently we have the plugin ‘Redirection’ in WP with the old URLs, still in Google as we’ve just released the site, http:// ones, redirecting to the new WP site. It has multiple 301 redirects in this form:
/facials.htm?fullweb=1

Do you mean we should get rid of these? Or are these irrelevant as they are only picked up by old references?

Hopefully these questions do not sound too ridiculous lol…
I am trying to look after my clients in the best possible way and really appreciate your help.

So, to the last part of this point, you mention we could purchase the Dedicated Certificate but it is not essential, as we can do it quite fine so long as 1-4 are addressed. Is that correct? But is there a benefit for our clients having these certificates? Or is it only in particular cases, such as having eCommerce on their sites?

  1. understand, thanks!

  2. I will look into this and install, I presume these is some help info files on CloudFlare which explain how to do this, all good thanks!

  3. This one especially has me freaking ha - but I will go and read the link you have sent. I want to get this right. I have spent the last year trying to work out how to get through all the online tests and deal with all of it apart from this issue. Thank you so much for your help, paula :+1:


#4

I don’t know how that happened, it was supposed to look like:

/facials.htm?fullweb=1
and then under it - the address of arcadiacottages - with the http:// protocol not https:// !


#5

Will reply in more detail afterwards, but for 1. check also CSS files, the issues were background images, as well.


#6

Point 1.

As long as it does not do HTTPS redirects, only from page to page do not worry about it.

Absolutely. You only need the Dedicated Certificate if you would like to have a more personalized certificate (not shared between multiple domains) or you have additional subdomains not covered in the basic *.example.com, example.com.

Point 2.
Just to clarify, if the original request on the HTML/CSS/JS code is http: then this won’t fix the issue. The resource would be redirected to HTTPS, but the browser, as soon as they see http: will throw the error of mixed content.

Point 3.
When you get one there will be a link to configure the major server types (Apache, nginx, etc.)

Point 4.
This is not the most required, the simple Content-Security-Policy: block-all-mixed-content would go a long way, especially if there is no user data at stake. Of course you can go all-in, but be careful. This is a good cheat-sheet and, together with Troy Hunt (https://www.troyhunt.com, @troyhunt) a great resource on security: https://scotthelme.co.uk/csp-cheat-sheet/


#7

thank you so much :))


#8

This topic was automatically closed after 14 days. New replies are no longer allowed.