What SSL/TLS settings should I add on the origin server and what settings should I add on Cloudflare?

Website, Application, Performance Security
,
1

Hi All,

I’m wondering what SSL/TLS settings should be left to the origin server and what ones should be left to Cloudflare so that I avoid any security and/or performance issues.

To expand, when I set up my website using NGINX I created a block to automatically redirect HTTP to HTTPS. It looks something like this:

# Redirect http to https
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;

    return 301 https://example.com$request_uri;
}

I did the same thing for HSTS, using this header:

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

However, I noticed that both of these settings are something that I can update on the Cloudflare Crypto dashboard.

So what settings should I keep where? Does it really matter? If I can turn them all off on the Cloudflare dashboard and keep them all on my origin server, do I even need Cloudflare for SSL/security purposes (side note: I have my own SSL cert that is signed and verified)?

I found here that “it is not recommended to perform redirects at your origin server”, so I’m wondering if I should delete my NGINX block and let Cloudflare handle everything.

The main thing I really care about is I would like to have all my settings in one place unless there is a best practice for these SSL/TLS settings.

Thanks!

2

If you can connect to HTTPS for your domain on your server, that’s all you need. Cloudflare will take care of the rest (HSTS and redirects to HTTPS).

3

Okay, perfect. I’ll set it up so that I use Cloudflare for those sort of things. Thanks!

1 Like
4

Did you also set up a certificate on your server?

5

Yes, I did. I’m using a Let’s Encrypt certificate on my server.

1 Like
6

All right. Apologies, I just noticed you did already address that bit in your initial posting. It is just very much a standard response of mine in similar cases, as the majority of users posting here does not have a secure setting.

Anyhow, to address your question, it does not really matter. You can configure it on Cloudflare alone and do not worry about the local configuration. In this case all the redirected requests will never reach your server but it will be already handled on Cloudflare’s PoPs. This will be slightly more efficient, however overall not exactly the one single performance boost either. It will make you fully dependent on Cloudflare in this regard though.

My advice would be to configure it both on Cloudflare and locally. Should you ever move away from Cloudflare (temporarily or permanently) you’d still have the configuration in place and dont need to remember to add it.

2 Likes
7

Ahhh, that makes a lot of sense! I appreciate the detailed response as I’m still trying to wrap my head around Cloudflare and how it works on a more technical level.

8

Cloudflare basically is a (globally distributed) reverse proxy

1 Like
9

This topic was automatically closed after 30 days. New replies are no longer allowed.