This tutorial covers basic settings in the Crypto tab of the Cloudflare Dashboard, including SSL Mode [Off/Flexible/Full/Full (Strict)], Cloudflare Origin Certificates, ‘Always Use HTTPS’ and ‘Automatic HTTPS Rewrites’.
The settings covered here can all be found by visiting cloudflare.com, logging in, selecting the domain and choosing:
The connection between your visitor and Cloudflare and Cloudflare and your server do not use SSL and are not secure. Visitors can only view your site over HTTP.
The connection between your visitor and Cloudflare is secured, but the connection between Cloudflare and your server is not. You will not need a certificate on your server for this mode.
This option is generally NOT RECOMMENDED, particularly not if you have any visitor specific data processed through your site (e.g. user sessions, logins, etc.). You can read more about Why flexible SSL mode is not the best choice.
The connection is secured between your visitor and Cloudflare and Cloudflare and your server. Your server will need to be configured to accept HTTPS connections and have a certificate (It does not need to be valid and is not verified)
The connection is secured between your visitor and Cloudflare and Cloudflare and your server. Your server will need to have a VALID certificate from a trusted authority installed to use this mode.
For both Full and Full (Strict), you can use a Cloudflare origin certificate – covered next.
This setting shows the certificate you have on the Cloudflare edge, this is likely to be a Universal or a Dedicated certificate. You can find out more information about Universal Certificates here, and more about Dedicated Certificates here.
A Cloudflare origin certificate can be installed on your server so you can use Full or Full (Strict) SSL Modes.
If you click ‘Create Certificate’, use the default options unless you wish to change them, and click ‘Next’, a certificate will be generated.
How you install this certificate will depend on your server / host. When you go through this process, Cloudflare will give you a list of support guides for different servers. If you have any problems installing it, you should contact your web host for guidance.
Always use HTTPS
This setting will redirect visitors from the HTTP version of your site to the secure HTTPS version. This means that all visitors connections will be secured.
Automatic HTTPS Rewrites
This setting can help fixed mixed content issues. Although it may not be able to fix all these issues, I recommend turning it on if you experience mixed content issues.