we are trying to work with a new vendor and assign an SSL under their origin server to connect to out subdomain.
when we configure it without proxy, the website load and we can login - but we have an SSL Error.
When we configure it with Proxy, SSL is enabled, and the website load, but we cannot login - the app is detecting multiple IP addresses trying to access at the same time (see attached.)
I found it is casued by the way Cloudflare works, and the IP are Cloudflare’s IP addresses.
the question is, if we can limit the rapid change of the IP addresses when accessing the application?
For the first issue you describe, it sounds like you may have been able to get it working due to the “Flexible” SSL/TLS Setting. Keep in mind “Flexible” is not secure at all and the connection back to your origin/server is still in plain text / over http. You should ensure your SSL/TLS Setting is Full (Strict) and then fix any certificate error.
More information here: Encryption modes · Cloudflare SSL/TLS docs
If it helps, Cloudflare offers Origin Certificate Authority certs, which can be valid for up to 15 years, and are trusted by the Cloudflare Proxy (but not signed by a trusted root/trusted by web browsers, so you need proxy mode on). For more information: Origin CA certificates · Cloudflare SSL/TLS docs
Note those are just an option, you can still use any certificate signed by a trusted root authority like Let’s Encrypt with Full (Strict) SSL/TLS Mode.
As for the second issue, those are Cloudflare Proxy IPs as you have noticed. You cannot “limit the rapid change” of them, but you can restore the original user IP from the CF-Connecting-IP header, and have your application properly use the actual IP of the connecting user rather than CF Egress IPs. There are guides on how to do that with popular web servers here: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs
Hope this helps!
I perfer keep the encryption mode to Full and not change it to flexible.
and since i have little access to the origin server in this instance, i can only send them a certificate to apply to the origin server.
Do Cloudflare offer paid signed certificate autority for sub-domains?
Sorry, I worded that wrongly, was trying to ensure you weren’t working around the SSL issue by using Flexible SSL Setting, which encrypts only from the User to Cloudflare and not Cloudflare to the Origin. Using Full or even better, Full (Strict) is what you want to do.
What do you mean by a “paid Certificate Authority for subdomains”?
Cloudflare has a few different certificate options, for different sides of the connection.
With Proxy enabled, the connection looks like this:
User ← Cloudflare Edge Certificates → Cloudflare ← Origin Server Certificates → Origin
If you just want a certificate to encrypt traffic between Cloudflare and your Origin, you can use the Origin Certificates, under SSL/TLS → Origin Server. You can create them for any hostname, including subdomains and wildcards. These are ONLY trusted by Cloudflare’s proxy though, and without proxy enabled, normal web browsers will not trust them.
If you are talking about the certificate Cloudflare serves to the user, the universal certificate you get for free covers any 1st level subdomains, i.e *.example.com, like www.example.com. For anything deeper, you would need Advanced Certificate Manager. Please note you cannot export Cloudflare edge certificates or use them outside of Cloudflare.
