Which way is more secure?


#1

Hi all

You might have noticed that I’m quite new to CF and trying to figure out best practice for security and performance and configure CF in the right way for my project.
So here is some basic info about my setup

Domain: www.example.com

Origin: Azure https://example-api.azurewebsites.net

Azure Storage Account: https://example.z10.web.core.windows.net

So this is going to be a setup for a Serverless Single Page Application. I am using Azure Storage account to serve my static files and Azure Functions (origin address above) as my API.

Azure provides SSL for both Storage and Function app endpoints.

Now, I have added my domain as custom domains to Azure Storage account, however Storage account doesn’t support SSL for custom domains, the only way to get it, is to configure Azure CDN, point to the storage endpoint and configure your custom domain and SSL there. But there is no point of doing that when I am on CF which provides me with all the good stuff as CDN, beside I don’t want to pay for Azure CDN.
So I end up with a non secure www.example.com which is pointed to https://example.z10.web.core.windows.net using CNAME.

Now my question is, if I pass www.example.com through CF and make it go through secure tunnel, would that make all the route secure, including CF to Origin?

Please note that I have no way of adding CF Origin Cert to my storage account, but it is using SSL on it’s own azure endpoint which is used to create a CNAME in my DNS settings on CF.
Also I have set my Crypto mode to Full Strict, it seems to be working, does this mean all the routes are secure now?

I think I’m a bit confused here because Azure provides SSL on their endpoints by default, so all the endpoints that I am pointing my CNAME records to are on https, does that mean I don’t need CF Origin Cert anymore?

Thanks for your help


#2

If your origin supports SSL and you CNAME to the hostname of the valid SSL and a valid cert is presented for the hostname that you use, then I believe CF can go secure to the origin (you should be able to set the SSL mode to “Full (Strict)”.

You can always try and see :wink:


#3

Thanks a lot Shimi, yes I tried Strict mode and it seems to be working fine.


closed #4

This topic was automatically closed after 30 days. New replies are no longer allowed.