SSL Between Cloudflare and Azure

ssl

#1

I have a website on Azure which I have set up according this article to take advantage of free SSL: https://www.troyhunt.com/how-to-get-your-ssl-for-free-on-shared/

In a nutshell, I use cloudflare dns with Full SSL, which then foward the traffic to Azure.

This works, but according to the comments, the traffic between cloudflare and Azure is not over SSL, and so is not actually secure.

Is there any way to use SSL between cloudflare and Azure?


#2

If CF is setup as Full the traffic is HTTPS between CF and the origin. The only thing is that the certificate is not validated.


#3

Thank you. Is there any way to resolve this? In other words, do I need to buy a ssl cert to ensure CF to origin is a validated certificate?

If not, it seems that there is no way to use CF securely with Azure.

I just want to ensure my site and traffic is standardly secured.


#4

Your traffic IS SECURE, it is encrypted using TLS, CF isn’t only verifying that the certificate is a valid one (it’s the same as adding the --insecure flag to curl), so it can be a self-signed or expired.

If the certificate on Azure covers the domain you are using (if your domain is example.com, it has example.com in the alternate, or primary, name) then you can switch to Full (Strict) which validates the certificate.

The decision if you need to buy a specific certificate (you can use Let’s Encrypt theoretically, don’t know enough about Azure to verify compatibility) is about where you are worried about eavesdroppers or hackers: if it is in transit (User <-> CF <-> Origin) then you are already set, if it is on the actual server and you want to be sure no one else puts something instead of your server (which is pretty difficult if you use A/AAAA records with static IPs or a domain controlled by Azure itself) then you would improve a bit with the cert, but not much in my opinion.

TL;DR: you are already with site and traffic secured (assuming the Azure account has strong password and possibly 2FA)


#5

It’s only “secure” from eavesdropping from passive adversaries. An active attacker can trivially MITM it and read or modify the communications.


#6

Well, it would need to block all connections and act as the origin server (which is what I said in the following paragraphs), it can’t modify the packets in transit, it would need to have the origin certificate.


#7

That’s by definition what an active MITM can do. With certificate validation off, an MITM could use any certificate, including a self-signed one or one for a different domain.


#8

Exactly the point of my third paragraph:

I would have probably had to specify that it was in this specific case, but this is a static website, there shouldn’t be any data going back to the origin, so the actual increase in security (for the users) is not substantial. But what you are saying is exactly the point of that paragraph.


#9

Ok, thank you. That explains it well.

If I need the extra security, I will put the dedicated ssl cert on Azure.


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.