Full strict security

My SSL currently I on Full but I would like to put it on Full strict for maximum security. I did put once then my website went down and couldn’t figure out the reason, need help please.

I’m glad to hear you want proper encryption for your site. For Strict to work, your server needs a legitimate SSL/TLS certificate for that hostname. Or Cloudflare can generate a specialized certificate that will work for :orange: Proxied sites.

https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

My host server did supply me with a certificate but since I moved the protection to cloudflare.com I have been using cloudflare SSL and now trying to obtain full origin from you guys tried doing order one but still after that the site went down again when I put it on full strict which I didn’t understand. I am looking to have the website with the best protection solution it can have as possible

You need both ends secured. Your server needs SSL for encrypted communications, and Cloudflare handles the rest.

How did you order one? The Origin Cert from the article I linked to? Or from SSL/TLS → Edge Certificates (Order Advanced Certificate)?



See the screenshots from my SSL dashboard

So if I understand you correctly I need to have the same certificate installed in my hosting server before I can activate the full strict SSL

I’d avoid Authenticated Origin Pulls for now. I don’t even use that, preferring to configure my server firewall to block anything not coming from cloudflare.com/ips

But if you’ve properly installed that Origin Certificate, you should be able to use Full (Strict).

You can see which cert is on your server by doing the following. Just change the www hostname and IP address to your actual server IP address.
curl -svo /dev/null https://www.example.com --connect-to ::203.0.113.34 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"

I didn’t download the origin one yet and install it to my server maybe that’s why I’d didn’t work in the first place. I will put off the authenticator pull thanks for that thought it would help. What other rules or tips you have that I can look at while busy changing things up

Other than this:

The origin cert should be enough for now. And I’m not even sure the Origin Cert will show you the private key. You might have to delete it and generate a new one. Not a big deal, as I’ve churned through many origin certs while experimenting on certain server configurations. Just be sure to restart your web server to load the new origin cert.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.