Just seeing if anyone can offer a straight answer: if we want to use Cloudflare, what is the best approach for SSL? Such as, trying to get Let’s Encrypt to work with Cloudflare, or using SSL options that Cloudflare provides?
I use Cloudflare for lots of stuff. For best performance and security, just let Trellis do the Let’s Encrypt certificates so that you have SSL running by default on your server (without Cloudflare). THEN when you’re all connected with Cloudflare go ahead and turn on SSL in FULL mode. That will ensure your connection is secured both from the user to Cloudflare and Cloudflare to your server.
Sounds like a plan, thanks!
A few other tips for using CloudFlare in front of Trellis:
- Set up page rules to bypass CloudFlare caching (if you’re using it) with a rule that looks something like this:
- If there are existing links in the wild with the www. subdomain, you may need a page rule to rewrite since it will get caught by CloudFlare before Trellis can redirect:
- If you have some subdomains that can’t use https, you can set CloudFlare SSL to Flex and add a page rule to force the root domain to use Strict SSL:
- Check out their WP Plugin - https://wordpress.org/plugins/cloudflare/ - though I recall the “Automatic Cache Management” feature to be somewhat problematic, so I don’t use that
if we want to use Cloudflare, what is the best approach for SSL?
Get a cloudflare-trusted certificate on your server and enable “Full SSL (Strict)”.
There is a role for that. This save the trouble of changing Cloudflare settings during the first letsencrypt challenge and ensure end-to-end encryption.
Problematic “Automatic Cache Management”
Couldn’t agree anymore. It’s so problematic that I build my own plugin for that.
To generate the LE certs you need to disable DNS routing through Cloudflare, so that LE sees the correct IP address. So how do you then still get the benefits of Cloudflare security/caching?
Turn it back on once you’ve received your LE cert
Works all the time for us.
I thought that would’ve meant the renewal in 3 months would break, because the IP wouldn’t be correct again?
I suppose that’s possible. I haven’t run into an issue but Kinsta’s generating my LE certs, not Trellis, and I haven’t ran into that issue yet. We also re-gen our certs all the time because we’re on a multisite.
Ta. If you try provisioning a server with the DNS running through Cloudflare it fails because it’s not seeing the same IP, and I imagine that would be the same when LE renews. So I’ve just got Cloudflare turned off for now …
I must have shared this in another thread: I simply don’t use Let’s Encrypt with Cloudflare - cloudflare provides its own SSL certificates. They can be downloaded, then in Trellis, you can config SSL to “manual”, and specify the file paths to the Cloudflare certificates. For sites without Cloudflare, I use Let’s Encrypt.