SSL Certificate and Proxy

Hi All,
I’m just getting started with cloudflare, read tutorials and learning path menu, preparing for migration from internal DNS to Cloudflare. Currently we have Pro Plan subscription.

Right now I have question about

  1. SSL Certificate
    This is from learning path

So, SSL certificate is mandatory, before activate proxy

  • Is there any way to use our existing Sectigo SSL while using Pro Plan ?
    It said only Business Plan could upload own SSL file.

  • If it cannot using Pro Plan, should we generate by ourself Cloudflare SSL and deploy it to each server we have ?

  1. Proxy and Security
  • Is Cloudflare security (WAF, DDoS, Anti-Bot) only work while using Proxy ?
  • Should we disable our existing Firewall WAF while using Cloudflare ?

Appreciate for any answer.
Thanks & Regards,

Fandi

As you have noted, a business or enterprise plan is required to upload your own certificate

You can download a certificate from Cloudflare to use on your origin, but note that is only trusted by Cloudflare so will give a warning if you connect to your origin directly using your browser. As you already have a Sectigo certificate on your origin, just keep using that (or use Letsencrypt or other CA).

Yes, if you don’t use the proxy the traffic will go directly to your origin and won’t go through Cloudflare where the features are applied.

Maybe, depends on what it does. Note that once proxied, all traffic will be coming from Cloudflare so ensure your own WAF doesn’t end up blocking any Cloudflare IPs, but it will be OK if it blocks access to specific URLs, detects intrusion or exploit attempts and so on as an extra layer.

Consider restoring original visitor IPs on your origin so logs show the visitor IP instead of Cloudflare ones to help you see what it happening.

You should also limit access to your webserver to Cloudflare IP addresses only so people can’t get round the protections by connecting to your origin directly.

1 Like

Hi @sjr ,
Thanks for your answer and explanation.
One thing I need to be clear

Blockquote
As you already have a Sectigo certificate on your origin, just keep using that (or use Letsencrypt or other CA).
Blockquote

Is this (Point 5) the way to using our Sectigo certificate ?

There are 2 certificates required.

One is on the Cloudflare edge, this will be the one presented to visitors to your site when Cloudflare is proxying. For most users, this will be provided and renewed by Cloudflare automatically. You don’t need to do anything. (They call this “Universal SSL”). The option to use your own certificate here instead is what requires a business or enterprise account.

The second is on your origin, this is so Cloudflare can make an SSL connection to your origin to pass on, after filtering, the user’s requests. This is like any normal connection direct to your origin and requires an SSL certificate so this can be done over a secure connection. Your Sectigo certificate just sits on your origin as it did before, but will only be seen by the Cloudflare proxy.

You don’t need the Cloudflare generated origin CA certificate if you already have an SSL certificate for your origin (as you do with your Sectigo one).

See the diagram here…

I got it @sjr . Thanks for your explanation.
We plan migrate to cloudflare in end of this month.
Hopefully everything is running smooth without any major issue.

Have a nice day

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.