I’ve read the documentation but I’m no expert on the subject. I’ve tried searching for answers but I’m stuck so excuse me if I ask things I’m “supposed” to know. Please help if you can.
In order to make use of Full (strict) mode, do I HAVE to use the CF Origin cert or can I use some other like Let’s Encrypt?
The same question for Authenticated Origin Pulls. Can I use it with Let’s Encrypt or only with the CF Origin cert?
Most people I talked to recommended that I don’t use the CF Origin cert but use a third-party CA cert. An example “Origin certificate from Cloudflare is not a certificate from a Certificate Authority, this certificate is not considered trusted by browsers, and its only purpose is to enable the Full (Strict) SSL mode when you are using Cloudflare service and you do not have any other valid certificate installed.” Should I believe them or not and why?
Regarding redirects. I know there are two communications, one between the visitor and CF and CF and my origin. On my origin, I have set up redirect rules (through htaccess) to force HTTPS and non-WWW URLs. Now, since I want to incorporate CF, I see that you can force HTTPS through the dashboard with “Always Use HTTPS”. But what about those redirects on my origin? I found this in the documentation: “You should generally avoid redirects at your origin server. Not only are you likely to forget about them, but they also reduce application performance. It is much faster for Cloudflare to redirect requests before they ever reach your origin.” So what are the ups and downs of leaving or removing the redirects from my server?
This is related to my previous question. Since there are two different communications V to CF and CF to O as I mentioned earlier, should I view the rules set up for them as completely different or related? Here’s what I think. Do I need to set up the same rules for both comms or will it be enough just to do it for one? The previous HTTPS redirect question is one example. Also, redirecting URLs with WWW to those without.
I am using the strict mode. My server connects with CF server via Let’s Encrypt certificate as soon as it is installed on my server. Users connect with the CF server via the CF certificate (I did not install it). I understand this so.
Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.
A non-expired Let’s Encrypt cert including your hostname will work.
AOP allows your origin web server to ask Cloudflare to present a certificate on incoming requests, which you can then verify. By default, it’s a Cloudflare managed certificate, but you can upload your own either per website/zone, or per hostname, and Cloudflare will serve it back to you. It can be self-signed even: How Authenticated Origin Pulls works · Cloudflare SSL/TLS docs
Cloudflare automagically issues a valid trusted by browsers certificate for your domain, called your Universal Certificate. This covers your apex (example.com) and first level subdomains via a wildcard (xxx.example.com). You cannot download this in anyway, and it is fully managed. When you enable proxy on a DNS Record, Cloudflare serves this trusted Universal Certificate to connecting users, to enable SSL/TLS while still being able to decrypt the request and such.
Then, in a separate request, if cache is not hit/nothing in CF sends a response (like WAF), Cloudflare reaches out to your origin web server for the asset. This is how the Origin CA Certs work, Cloudflare’s Proxy trusts them, and doesn’t the browser doesn’t need to because it’s not making the request to your origin.
It’s only purpose is to enable Full (Strict) when using Cloudflare yea, and there’s nothing wrong with that. It’s just as secure as using a publicly trusted certificate would be. You can’t use it without proxy enabled, but otherwise it’s fine to use.
Doing redirects via Cloudflare rather then your origin is faster, Cloudflare stores the redirect logic in all 300+ of their locations, without needing to contact your origin. In my opinion though, you can just leave the existing ones, just make sure your SSL/TLS Mode (under SSL/TLS → Overview) is Full (Strict) so Cloudflare sends requests to your origin over HTTPS.
It’s true you might forget about them, and if you have a lot of redirects it may be confusing, but no harm would come from having the https redirect in both locations, Cloudflare would handle the redirect for you in all cases unless you disabled proxy or the setting, and you would still have it set in your web server as backup. It’s worth it to keep it for https especially in my opinion because you can’t accidentally misconfigure something (like Cloudflare’s Flexible ssl/tls setting) to use HTTP without hitting t he redirect.
Cloudflare will be faster, and sometimes easier to configure, especially with Bulk Redirects. I would aim to do if in Cloudflare if possible, otherwise, for more complicated things, using your origin is fine. You don’t need to do both though, that would be unnecessary unless you plan to not use proxy/cdn at some point.
AOP allows your origin web server to ask Cloudflare to present a certificate on incoming requests, which you can then verify. By default, it’s a Cloudflare managed certificate, but you can upload your own either per website/zone, or per hostname, and Cloudflare will serve it back to you. It can be self-signed even.
Is there anything else besides turning on the AOP option, that I have to do for this to work? I’m asking for both eventualities (Origin CA and Let’s Encrypt).
Then, in a separate request, if cache is not hit/nothing in CF sends a response (like WAF), Cloudflare reaches out to your origin web server for the asset. This is how the Origin CA Certs work, Cloudflare’s Proxy trusts them, and doesn’t the browser doesn’t need to because it’s not making the request to your origin. It’s only purpose is to enable Full (Strict) when using Cloudflare yea, and there’s nothing wrong with that. It’s just as secure as using a publicly trusted certificate would be. You can’t use it without proxy enabled, but otherwise it’s fine to use.
When I read your recommendations for AOP and redirects, I see that it all boils down to a decision whether to commit to Cloudflare or not. If I use Strict mode and both SSLs and everything is proxied I don’t have to worry about anything. On the other hand, having my own cert on origin and the entire set of redirect rules just prepares me for the eventuality of disabling the proxy. How likely is a scenario where something malfunctions and CF goes down, the proxy is disabled, and now the visitor requests straight from my origin? In that case, the origin doesn’t have an SSL but redirects visitors to HTTPS.
Cloudflare will be faster, and sometimes easier to configure, especially with Bulk Redirects. I would aim to do it in Cloudflare if possible, otherwise, for more complicated things, using your origin is fine. You don’t need to do both though, that would be unnecessary unless you plan to not use proxy/cdn at some point.
So you recommend having HTTPS redirects in both locations but favoring Cloudflare for other redirections and rules like non-WWW. This brings me to another related question. I have 3-4 rules in my .htaccess file that I use on every site:
SetEnv SERVER_ADMIN [email protected]
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
It may be worth to ensure it is explained: Auth. Origin Pulls is an optional security feature for your origin web server to ensure the request is coming from Cloudflare. You have to enable it in your dash, and then configure your web server to validate the client certificate, it’s Mutual TLS (mTLS). There are some guides/info for nginx/apache setups here: Zone-level authenticated origin pulls · Cloudflare SSL/TLS docs, as well as some other guides out on the internet. I would get your setup working without AOP First, and then try setting it up. Just enabling it on its own does nothing, web servers wouldn’t request it/would ignore it until you tell them to verify it and reject other requests.
Cloudflare won’t disable the proxy in case of them having issues, that would expose people’s origin IPs/Web Servers. How likely it is that Cloudflare may have issues where HTTP Requests fail, but DNS remains operable, as well as their dashboard/API, allowing you to make that change? Meh, it’s not a bad idea to have backups, but you’re talking about a particular type of outage, and also exposing your origin’s real IP, which could be DDoS’d unless you rotated it after such an event. There has been outages with Cloudflare in the past sure, but infrequent and not just HTTP. If you wanted to disable it for testing purposes, you could always switch at any time and get a real cert. issued to test with. Personally, I commit fully to using Cloudflare if I use it at all, but I am biased.
Yes, in a generic way, you can use Transform Response Header rules to respond with any arbitrary headers: HTTP response header modification rules · Cloudflare Rules docs
But Cloudflare actually has specific settings for those options, under SSL/TLS → Edge Certificates, you can modify your HSTS (Strict-Transport-Security) settings which will take care of the header for you. Under Rules → Transform Rules → Managed Transforms, you can turn on Security Headers, which adds those headers and a few more sane security defaults: Available Managed Transforms · Cloudflare Rules docs
For Cloudflare’s rules and such? I don’t think the difference is measurable, I have no apache experience but I don’t think they would give too much of a performance difference either, they already scan every directory for the file even without it.
For Redirects, it makes sense to place them on Cloudflare for the reason above, where possible. For headers and other rules, I would place them where it is logical or easiest to do & maintain. Cloudflare offers a lot of flexibility with its ruleset engine expressions with transform rules, which can make some operations easy, and they update globally within a few seconds. To give some examples, sometimes I have one nginx host serving multiple sites, in which case it might make sense to have a unified config there for response headers. Other times usually it’s just easier to make a transform rule. Just remember to look in both places if you’re wondering where a header is coming from.
Thank you so much for those responses, they are helping a lot. I have two more Qs:
CF has WAF, my origin has ModSecurity WAF, and my WordPress websites have a WAF plugin. How many WAFs are too much? I have three points to configure security rules. Is it safe to say that I don’t need the WordPress one? CF applies its security rules, I configure my origin to communicate with CF IPs exclusively. Do I need a WP one? Can I disable it?
I am a lot of things when it comes to IT, but I’m very limited when it comes to server administration and security. I have a show to get on the road and I can’t spend a lot of time learning how to configure CF and everything with enough efficacy. Where can I search for professional help regarding this? My setup is: Cloudflare - Namecheap (LiteSpeed) shared hosting (soon migrating to Namecheap VPS) - WordPress sites. All I want to make sense of SSL, redirects, and security rules on all three so I can have a setup that I’m comfortable with. I know what I want but I will accept sound advice. This is probably a piece of cake and a few hours of work for someone with experience. I can’t spend a few weeks on this I have serious deadlines.
Cloudflare Pro or higher has WAF Rulesets, that includes OWASP ModSecurity Core Rules, and Cloudflare’s own rulesets with a few Wordpress rules. Free only gets a few free rules for common vulns. If you have Pro or higher, then yea I would say it wouldn’t make sense to have the rules twice. I’m not too familiar with wordpress, and there is probably a fair few WAF offering plugins for it. It’s probably not worth it to have it as well unless it does something special or unique, being that it is a plugin running on your server it does have more control/flexiblity.
Depending on your budget, Cloudflare has msp partners which could help you get set up, I believe this form could be used for that: Channel - Find a Partner
Otherwise, fiverr/upwork/one of those sites might be a good place to look as well.