Cloudflare - SSL/TLS Configuration
Setting up SSL/TLS in Cloudflare is crucial step to ensure all your websites are protected using HTTPS. Cloudflare has 4 ways to setup SSL/TLS.
- Off: No SSL (not recommended).
- Flexible: Encrypts traffic between the browser and Cloudflare, but not between Cloudflare and your origin server (not secure).
- Full: Encrypts traffic between the browser and Cloudflare, and between Cloudflare and your origin server using a self-signed certificate.
- Full (Strict): Encrypts traffic using a valid SSL certificate between the browser and Cloudflare, and between Cloudflare and your origin server. This is the most secure option.
By default, when you add a website to Cloudflare, a universal SSL is added to your website by Cloudflare which is free of cost. This would remain free of cost and will be auto renewed by Cloudflare periodically.
Alternatively, if you have already bought a SSL/TLS Certificate from any Certificate Authority, you have the option to upload it as well. Or you can even request an Advanced certificate from Cloudflare itself by paying a subscription fee.
Uploading a custom certificate to Cloudflare's Edge
In order to upload a custom certificate,
- Go to Cloudflare Dashboard > SSL/TLS > Edge Certificates
- Click Upload Custom SSL Certificate
- You would be prompted to upload the certificate and the private key here.
- Once this is done, your certificate will be shown in the certificate list.
Your custom certificate would be of the type - Custom in above list. Since I don't have Enterprise/Business I haven't added and shown here.
Purchasing a certificate from Cloudflare's ACM (Advanced Certificate Manager)
Just below the Edge certificates list, you would have the option to Purchase ACM.
- Click on the 'Purchase ACM'
- You will be prompted to choose the subscription for ACM as below
- After you choose ACM and click 'Next', you will be prompted to add your Credit Card details or use Paypal to pay for it.
- Once you have completed the payment, you would have 1 ACM in your account.
- Now you would have an option named "Order Certificates Now"
- Click on it and put your domain for which you want to use this Advanced certificate.
If your DNS is managed in Cloudflare, it automatically does all background work and your certificate will be activated.
If not, you would be prompted to validate that you own the domain by 2 methods
- Verify by adding a TXT record in DNS
- Verify by email from your domain. '
Once this is done, your certificate will be activated and would be added in list of certificates.
Enabling Always use HTTPS
Cloudflare has the option to enable HTTPS as default for your domain and any URLs. This would redirect any plain HTTP requests coming to Cloudflare to HTTPS.
To enable this, go to Cloudflare Dashboard > Your website > SSL/TLS > Edge Certificates > Enable the toggle
Configuring HSTS (HTTP Strict Transport Security)
HSTS is a recommended option as it ensures that any client browser which connects to your domain would automatically try to access via HTTPS only. This would ensure that the legacy 301 (Temporary redirect) and 302 (Permanent redirect) are not used anywhere and we specify that this domain adheres with HTTPS only.
Make sure HTTPS is configured properly before enabling HSTS
To configure HSTS in Cloudflare, go to Cloudflare Dashboard > Your website > SSL/TLS > Edge Certificates > Enable HSTS
Once you click Enable HSTS, you will be prompted with an acknowledgement to which gives an overview of HSTS and scenarios where it can fail.
Once you accept the prompt, you will be prompted to configure HSTS as below
As you can see from above screenshot, I have configured HSTS as follows:
- Enable HSTS (Strict-Transport-Security) - YES
- Max Age Header (max-age) - 6 months (recommended)
- Apply HSTS policy to subdomains (includeSubDomains) - YES
- Preload - YES
- No-Sniff Header - YES
Click Save to enable HSTS.
Configure Minimum TLS version used
Older version of SSL or TLS use weak ciphers and are prone to attacks. This would potentially put your websites under risk. Hence disabling older versions is a recommended practice.
Since TLS 1.3 is the latest and to have some background compatibility with any older devices still using TLS 1.2, I have set the minimum TLS version to TLS 1.2
In order to set this, go to Cloudflare Dashboard > Your website > SSL/TLS > Edge Certificates > Minimum TLS Version
Enable TLS 1.3 explicitly
In order to set this, go to Cloudflare Dashboard > Your website > SSL/TLS > Edge Certificates > TLS 1.3
Enable Automatic HTTPS Rewrites
This feature automatically rewrites any HTTP URLs to HTTPS in your website. Even hardcoded HTTP URLs will be redirected to HTTPS automatically.
This is recommended as it overcomes Mixed Content issues in your website if they exist.
In order to set this, go to Cloudflare Dashboard > Your website > SSL/TLS > Edge Certificates > Automatic HTTPS Rewrites
Enable or Disable Universal SSL
Although Cloudflare by default enables this, you might choose to disable this if you are using a custom/ACM certificate. Universal SSL is provided free of cost by Cloudflare and acts as backup if you have setup custom/ACM certificates.
If they are not set, this would be the default SSL/TLS certificate used.
Depending on your requirement, you may either enable/disable this. To do this, go to Cloudflare Dashboard > Your website > SSL/TLS > Edge Certificates > Disable Universal SSL
This wraps up the SSL/TLS configuration for most generic setups. I'll try to cover Advanced topics in future, like Origin certificates, Client certificates etc.
Until next time 👋