Origin certificates / SSL encryption

Hi,
I’m new to CF and just starting to test things out with one domain on the free plan.
So far I have a reverse proxy that routes all incoming requests to two servers, if the request URL has the form “domain.com/", the reverse proxy routes it to a web server, and if the request URL has the form "app.domain.com/”, the proxy routes it to an application server on a different machine.
I want all traffic to be HTTPS, therefore in Cloudflare’s dashboard under “Crypto”, I configured the SSL option to be “FULL STRICT”, I selected the option to “always use HTTPS”, and I also created a free TLS certificate signed by CF and installed it in my reverse proxy.

To verify that all communication is being encrypted I ran wireshark to capture the packets between my browser and the App, and to my surprise some packets are being sent/received over HTTP. Moreover, the packets exchanged are not between the browser and the reverse proxy, but between the browser and some sort of Cloudflare’s server (when I tried to open the IP address in the browser I got a message: Error 1003, Direct IP Address not allowed and some Cloudflare Ray Id)

I would like to know: what exactly are these Ray Id server? what kind of data is being sent over HTTP? and is there some mistake or security issue in this configuration?

Not “server”, just “ID”. It is the name Cloudflare chose for connection IDs. Each request to Cloudflare gets such a unique ID.

Difficult to tell. Can you share more details? Maybe it is an HTTP request from the browser, which (in your configuration) is automatically redirected to HTTPS. If you can share screenshots it would be best.

From what I can tell so far your configuration looks pretty all right.

[quote=“sandro, post:2, topic:61117”]
If you can share screenshots it would be best.
[/quote]

Sure! Here it is
wireshark|690x388

If you’re browsing directly to a Cloudflare IP, they really have no idea which website to proxy you to: Your browser did not specify a FQDN it wants to access. Your IP is shared with thousands (or more?) of other websites - how can the server know which one of them is the one you want to get to?

Try your actual domain, then your browser will send an HTTP “Host” header, then you might get to somewhere. If you were showing us yourself accessing your site, with https:// (which you should be redirected to even if you went for http:// for your site, if you checked the “always use HTTPS” option like you said, AND your browser says “https://” and THEN you see plaintext stuff in Wireshark, this is the only phase where I would be worried; But I’m rather sure that once you see the green padlock, you won’t see anything plaintext in your network capture; That’s the whole idea behind the green padlock, so users don’t need to use a sniffer to know they’re secure.

1 Like

I am not entirely sure what the screenshot should exactly show.

You were accessing a Cloudflare IP via HTTP. That cannot show your site there’ll, naturally, be HTTP involved instead of HTTPS.

Can you elaborate how that is related to the example you provided?

I wanted to show the wireshark output only not the browser, sorry about that.

Allow me to elaborate more, I want to check that all traffic to/from my domain and subdomains is always encrypted, and to verify this, I captured some packets between a client and my domain and subdomains with wireshark.

The output from Wireshark that you dont see in the previous screenshot, shows that there is traffic on port 443 between the client and https://app.domain.com; which is good and that’s what I wanted to see.
BUT wireshark also shows traffic on port 80, which can be seen in the previous screenshot, and that’s the part that worries me.
Why is there traffic on port 80?
Moreover, the screenshot also shows that these packets are not between a client and https://app.domain.com, but between a client and some Cloudflare server.
Which had me wondering: what kind of data is being sent to this cf server, and why?

But as I mentioned earlier you seem to have opened the site on HTTP (as apparent from your screenshot), hence HTTP requests are not much or a surprise, are they?

1 Like

No, the HTTP traffic was already showing in wireshark before I typed in that IP address in the browser.
That IP address (104.24.103.81) does not belong to any of my servers, I did not know of its existence until after wireshark showed me the packets.

Still not quite sure about the issue. Your screenshot shows a page on HTTP for that IP address and a Wireshark log referring to the same IP address.

1 Like

Yes, the previous screenshoot was not a good example of what is happening. Please check out this new screenshot hopefully this one makes more sense.
The only URL entered in the browser is HTTPS, however wireshark shows that there is HTTP traffic.

What is the domain in question? There is a good chance you are linking to some HTTP resources. Take a look at the HTTP part of the Wireshark log and determine which resource it was that made this HTTP call.

This topic was automatically closed after 30 days. New replies are no longer allowed.