We’ve set up hundreds of websites with Cloudflare using their free universal SSL certificates ( thank you CF, you’re great) so I’m very familiar with the platform and settings.
The most recent WordPress website we’ve put live on Siteground and we’re using full page edge caching using Cloudflare: https://weareyoku.com/
The proxy is on for the A records, in the Cloudflare account we are seeing cached traffic, checking the page headers we’re getting “cf-cache-status: HIT” and the SSL is set to Full…
However, when we check the status of the SSL in the browser is still displays the origin certificate from Siteground (Let’s encrypt) rather than Cloudflare.
That site is using Cloudflare, as you say. Cloudflare uses multiple different Certificate Authorities including Let’s Encrypt. You can check which you’re getting under SSL/TLS → Edge Certificates and customise the behaviour with the paid ACM add-on. It all seems to be working OK, though!
Thanks for the quick reply! Yes, we have the Let’s Encrypt SSL certifcate created by Siteground within their Managed WordPress Hosting product. This is working fine as tested before we introduced CF. With Strict don’t we have to add something from Cloudflare to our server or is just an SSL at both ends enough for strict?
Nope, nothing at all. It just makes your site actually secure because right now anybody could intercept your connection as Cloudflare does not validate anything.
I checked under Edge Certificates and you were right - it’s Let’s Encrypt. I check a handful of other sites we manage in the account and none of them mention a Certificate Authority.
It was the combined fact that Siteground use Let’s Encrypt and I’d never seen Cloudflare do so that led to me challenging it.
Ok thanks but why does it even exist if it’s of no use and you get the SSL warning? What scenarios are there where Full is suitable? Thanks again for the help
Yes but I guess I’m unsure why Cloudflare would offer to ‘front sites and feign a valid HTTPS connection’. Why not jump from flexible straight to Full Strict. Perhaps if you could describe a real world use where Full is the best/only option for a website (and Full Strict would not work) then I would understand why they have it as an option. Thanks
It is not a good option, but people use it with a self-signed or expired certificate on the server. It should just be replaced by a valid one to use Full Strict and shouldn’t ever be the only option. For any site that needs HTTPS, it should be available from the origin with Full Strict.
Because it’s a nice marketing stunt and allows them to offer free SSL when there’s actually no encryption at all in the background, but the visitors will never find out about it.
It’s actually quite a security issue and millions of sites on Cloudflare use those settings without us having any idea which sites exactly are insecure but we do not need to expect a fix any time soon.
More sites are still on HTTP than we actually know.
In the real world, there are only two options: Off, and On. Anything else would throw a browser warning. Then you’ve got “black market” (flexible) and “grey market” (full/not strict). Where do you prefer to shop?
So it’s for users that have self signed or it could keep your website still using SSL in the browser (cosmetically) should your certificate expire. Ok understood, thank you
Bluntly put, it’s for users who can’t be bothered to take the ten minutes and configure a proper certificate and don’t really care if they deceive their visitors or not.
Cloudflare opened a huge can of worms with these modes and undid a lot of what domain registries and browser vendors were trying to establish with SSL requirements.
thank you CF, you’re great) so I’m very familiar with the platform and settings.
