Performance/Security issues

I started using Cloudlfare 4 days ago and I’m having some issues that I would love some help with or clarification on.

  1. Loading speeds haven’t improved much, if at all, since I started using Cloudflare and Rocket Loader. I suspect this may be because Cloudlfare is only serving my blog, or perhaps focusing on it. My main website and my blog are both hosted on the same domain/IP/host. mydomain and www.mydomain point to the main website, and blog.mydomain points to the blog. The speed tab only shows the blog, which has indeed seen improvements (which weren’t necessary to begin with) from 1.5s to under 1s. My main website however still takes up to 7 seconds to load, and that’s the main reason I started using Cloudlfare. Rocket Loader is loaded along with my main website, and when it’s offline I do get the Cloudflare notice (instead of a cached version of the website) but there don’t seem to be any speed advantages to using Cloudflare at this point. All assets are still loaded from my website, and not from Cloudflare.

  2. SSL options. I don’t understand them at all, although everything seems to be working fine despite not having configured anything related via Cloudflare beyond. From the reading I did, Cloudflare should use my SSL certs to communicate with my origin server, but users will use Cloudflare’s certs to communicate with Cloudflare. If that’s the case, then why should I provide Cloudlfare with my certs? Isn’t that potentially dangerous? And the option of having Cloudflare generate certs for me doesn’t seem logical either since I already have my own.

  3. Ever since starting to use Cloudflare, my HSTS header max-age has been changed to 0. My configuration hasn’t changed, but that’s the reported max-age.

  4. Is there a way to set certain security parameters for all cookies via Cloudflare? Since they’re the final endpoint for my website, and they add their own cookies as well.

  1. Other features like Workers, Page Rules, Custom Pages

  2. How do apps work? How can Cloudflare install apps on my website without access to the code? Is this safe?

What exactly do you mean by that? They are not being cached? Whats your domain?

Absolutely correct.

Actually, you cant unless you are on a business plan. You simply use these two certificates in their respective places and thats it, no need to send your private key to Cloudflare.

Have you enabled HSTS on Cloudflare?

Which cookies? Your own cookies are simply tunnelled through.

  1. My domain is snip.city and the blog is on a subdomain called blog. It really seems like only the blog is benefiting from Cloudflare caching.

  2. So I don’t need to configure anything SSL related in Cloudflare?

  3. I have enabled HSTS on Cloudflare. Should I not have done that since it’s already enabled on my server and my domain is on the preload list?

  4. My website is now sending ceveral cookies named cf and cfduid, presumably for Cloudflare to track locally cached assets.

Regarding cookies, I’m asking if it’s possible to have Cloudflare append certain security directives to the cookies that my website sends.

Not out of the box. You could achieve this via workers, but that would be mostly a paid feature.

I see. And for my other issues?

Your resources do not seem to be cached right, you most likely send an HTTP header which prevents Cloudflare from caching them. Check that you are not sending of that.

What kind of header would do that? Local caching is working fine.

Any of the caching headers, which would also instruct a browser not to cache.

I just checked and this is another case of my set headers being overridden somehow. This is what I have set:

<IfModule mod_headers.c>
    <FilesMatch "\.(jpg|png|gif|ico|svg|css|js|less)$">
Header set Access-Control-Allow-Origin "*"
Header set Cache-Control "private, max-age=3600"
    </FilesMatch>
</IfModule>

This is what’s getting reported:

Cache-Control max-age=0, no-cache, no-store, must-revalidate

Much like HSTS where I have this:

Header always set Strict-Transport-Security "max-age=63072000; preload"

But this is what’s getting sent:

Strict-Transport-Security **max-age** =0; **preload**

Does your server IP address end in 36? If so, it appears that header comes from your server I am afraid.

Your actual resource files are even set to “private” as far as caching is concerned.

That’s impossible. I checked all related configs. httpd.conf, ssl.conf, htaccess and even my html headers.

image

Oh I see. You’re referring to Cache-Control: private. I can fix that, but that’s not what’s being reported by securityheaders.com

Where are you getting that from?

Straight from your server, check the IP address in the screenshot.

I mean what tool are you using

Thats a screenshot from my browser.

But the point is as long as that header is sent Cloudflare wont cache anything.

Did you check securityheaders.com? Because it’s reporting completely different headers for HSTS and Cache-control.