Registrar → Cloudflare → origin Nginx web server(Linode).
So as i understand,
Cloudflare handles the SSL for my origin. Is there any reason i’d need to optimize the origin nginx SSL parameters Like: ssl_ciphers, ssl_stapling_verify, ssl_stapling, ssl_session_cache, ssl_session_timeout, etc?
I currently only have:
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /home/cloudflarecerts/certificate–ecc.pem; (ecc, not rsa)
ssl_certificate_key /home/cloudflarecerts/certificate–ecc.key; (ecc, not rsa)
I used to have many other ssl adjustments on my nginx origin .conf file, but i started doubting if it’s even harming the performance of the origin responses because those SSL parameters are already handled by Cloudflare and i removed them.
I am afraid that is not correct. Cloudflare handles the SSL setup on their proxies, but not on your server. The latter you still have to configure yourself. The default settings typically work fine however and you shouldn’t tweak them unless you absolutely have to and know what you are doing.
Simply make sure your server is configured with a valid certificate and you are using Full Strict on Cloudflare.
Hi @sandro, thank you for your response. Do you know which Nginx adjustments are still relevant while using Cloudflare? I believe a client request works like this.
On cached elements (images, etc.):
Client computer → Cloudflare instance → client computer again. (Every time a visitor hits a cache file, Cloudflare doesn’t hit my origin to check for any SSL configuration regarding this. They simply cache on their edge network and serve it.
On dynamic non cached elements: (Like blogs.php)
For dynamic non cached elements, Cloudflare hits my origin and returns the response. Now, does Cloudflare, in this case, care about my SSL extra .conf adjustments???
As for caching, that would be unrelated to SSL. If something is served by Cloudflare, it naturally won’t involve your server. Any requests to your server will be handled as any other requests, there’s nothing Cloudflare specific.
If anyone knows of any SSL nginx confs that are worth adjusting for whenever Cloudflare hits the origin server, i’d apprecciate it. For example, inside the .conf file add the https protocol to the listener (listen 443 ssl https & listen [::]:443 ssl https). Thank you.
I am afraid server administration related topics are beyond the scope of the forum here and best discussed at StackExchange.
Make sure your site loads fine on HTTPS without Cloudflare, then it will also work fine on Cloudflare. Also, make sure you are using Full Strict on Cloudflare, otherwise your site would be without encryption.