Just seeing if anyone can offer a straight answer: if we want to use Cloudflare, what is the best approach for SSL? Such as, trying to get Let’s Encrypt to work with Cloudflare, or using SSL options that Cloudflare provides?
I use Cloudflare for lots of stuff. For best performance and security, just let Trellis do the Let’s Encrypt certificates so that you have SSL running by default on your server (without Cloudflare). THEN when you’re all connected with Cloudflare go ahead and turn on SSL in FULL mode. That will ensure your connection is secured both from the user to Cloudflare and Cloudflare to your server.
Sounds like a plan, thanks!
A few other tips for using CloudFlare in front of Trellis:
- Set up page rules to bypass CloudFlare caching (if you’re using it) with a rule that looks something like this:
- If there are existing links in the wild with the www. subdomain, you may need a page rule to rewrite since it will get caught by CloudFlare before Trellis can redirect:
- If you have some subdomains that can’t use https, you can set CloudFlare SSL to Flex and add a page rule to force the root domain to use Strict SSL:
- Check out their WP Plugin - https://wordpress.org/plugins/cloudflare/ - though I recall the “Automatic Cache Management” feature to be somewhat problematic, so I don’t use that
if we want to use Cloudflare, what is the best approach for SSL?
Get a cloudflare-trusted certificate on your server and enable “Full SSL (Strict)”.
There is a role for that. This save the trouble of changing Cloudflare settings during the first letsencrypt challenge and ensure end-to-end encryption.
Problematic “Automatic Cache Management”
Couldn’t agree anymore. It’s so problematic that I build my own plugin for that.
To generate the LE certs you need to disable DNS routing through Cloudflare, so that LE sees the correct IP address. So how do you then still get the benefits of Cloudflare security/caching?
Turn it back on once you’ve received your LE cert
Works all the time for us.
I thought that would’ve meant the renewal in 3 months would break, because the IP wouldn’t be correct again?
I suppose that’s possible. I haven’t run into an issue but Kinsta’s generating my LE certs, not Trellis, and I haven’t ran into that issue yet. We also re-gen our certs all the time because we’re on a multisite.
Ta. If you try provisioning a server with the DNS running through Cloudflare it fails because it’s not seeing the same IP, and I imagine that would be the same when LE renews. So I’ve just got Cloudflare turned off for now …
I must have shared this in another thread: I simply don’t use Let’s Encrypt with Cloudflare - cloudflare provides its own SSL certificates. They can be downloaded, then in Trellis, you can config SSL to “manual”, and specify the file paths to the Cloudflare certificates. For sites without Cloudflare, I use Let’s Encrypt.
Cloudflare seems such a non brainer, what would be the reasons not to use it?
I always recommend CloudFlare, but sometimes it’s out of my hands. Some larger organizations have IT departments who handle the DNS and don’t want to mess with CloudFlare. Some people might be wary since it’s not “true” end-to-end encryption, and CloudFlare had a bad data breach a couple years ago. But for most websites, it works just fine.
Thank you for the answer.
Not even in full-strict mode?
I’m sure it could be debated, but here’s one reference about this: https://www.wordfence.com/blog/2017/03/support-end-to-end-encryption/
Cloudflare always is the man-in-the-middle.
Thanks for the articles. It is a sad day…
I haven’t thought about this issue up till now, but now I have to start to dig and find a better solution. Or just leave it as it is, and call it a day.
The listed alternatives in the “Cloudflare we have a problem” article completely unknown for me.