Let’s say I’m using Cloudflare, but I’m only using the DNS to route to the origin server. If the origin server has and HAProxy instance that grabs content from another server with nginx, where should I apply HTTPS? Should I do it with NGINX, HAProxy, or with Cloudflare?
If I use Cloudflare to proxy, should I proxy http traffic to Cloudflare and have Cloudflare apply HTTPS, or should I do that myself and only use port 443?
I’m trying to be as efficient as possible, and it doesn’t seem to matter where https is applied as long as non-https connections aren’t allowed to access the origin.
I would have HTTPS on HAProxy and Cloudflare.
I would almost certainly prefer Cloudflare and HAProxy - “Full (Strict)” SSL mode, so port 443 on your webserver with a Cloudflare Origin Certificate - for a couple of reasons.
- Regular certificates on HAProxy require setup (DNS connection for DNS validation, HTTP for HTTP validation, etc). Cloudflare Origin Certificates expire after a matter of years, so you don’t have to worry about that.
- Cloudflare has Backup Certificates, where they provision multiple redundant certificates to cover any problems with one issuer.
- Doing SSL at Cloudflare and your origin server protects the entire connection, whereas SSL only at Cloudflare leaves the connection between your origin server and Cloudflare exposed (“Flexible” mode).
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.