End To End Security (SSL/TLS)

A bit of Backgroud. I have purchased Pro Package from Clouflare. I am looking for End-To-End Encryption.

I understand the traffic from Web browser to cloudflare would use the share SSL Certification. I have no issue on that. (Question : Does it create automatically or do I need to create one?).

At the backend/origin server I am using GCP app engine which already has a SSL certificate provided by Digicert ( Now can I keep it at the origin, would it create a issue and I need to use self signed one?) Please explain in detail.

I am using the WAF and I understand the clouflare working as reverse proxy( do I need to configure to enable reverse proxy or it takes automatically while adding the name server on get started setup?)

In the reverse proxy mode the cloudeflare to origin server the traffic only route to https?

Thanks for the help.

If you have a valid certificate signed by a known Certificate Authority (probably the case because you can directly access your App Engine endpoint from browser), just hit the Full (strict) encryption mode in SSL/TLS pane and you’re good to go.

I’m not sure about the end-to-end part, though, since Cloudflare will decrypt the traffic to it, inspect it, then forward it to your origin after WAF and some checks.

Great thanks. Curious if I use Full (strict) encryption mode then from client browser to origin server it use the Digicert and not clouflare cert. If yes then how will it decrypt to inspect at the cloudflare as it does not have the client (digicert certificate).Thanks for your response.

Thanks for your response. My scenario is I have opted for Pro Subscription. I have the Digicert at the origin server. Can I still use it? If yes then do we have different certificate at the client browser to cloudflare? I am confused on this? Please confirm . thanks

You still need a valid certificate on your server if you use SSL strict (either browser-trusted,ie. DigiCert, or a CF origin certificate) - which is the most secure and recommended mode.

But yes, the bowser will still show a CF certificate in any SSL mode. Your DigiCert certificate will secure the connection to CF, but CF secures itself from the user to CF. CF does not offer true end-to-end security since it needs to decrypt incoming requests to do stuff like waf and support its paid offerings.

This is something I need to know. Great. Thanks much for the information. I got the logic now.Appreciate it.

This topic was automatically closed after 30 days. New replies are no longer allowed.