Cloudflare with Free SSL - How to ?

Few days ago ( I thought it was a joke ) Cloudflare launched a free "Universal SSL" for all their clients (both paid and free). So far they issued more than 500,000 SSL certificates.

With Universal SSL, both the private key operation and the key establishment use elliptic curve cryptography. The private key operation uses the Elliptic Curve Digital Signature Algorithm (ECDSA), and the key establishment uses Ephemeral Elliptic Curve Diffie-Hellman (ECDHE).

Elliptic curve cryptography allows you to use smaller keys than traditional RSA. For example, a 256-bit elliptic curve key is equivalent in strength to a 3072-bit RSA key. Smaller keys allow elliptic curve cryptography to be around 5-10x faster than RSA in general cases.

Steps to taking over the new SSL

There are several stuff you gotta do before 'forcing' the new SSL on your site.

Check for browser incompatibilities

You can test a single browser on this url: https://www.ssllabs.com/ssltest/viewMyClient.html
If you have a lot of users using outdated browsers that you still support it might hit you hard and cause really negative impact on the site.
Here is a short list:

  • Internet Explorer 7 and later
  • Firefox 2
  • Opera 8 with TLS 1.1 enabled
  • Google Chrome:
    • Supported on Vista and later by default
    • OS X 10.5.7 in Chrome Version 5.0.342.0 and later
  • Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later) browsers ssl
Changes to the web server

Usually you don't have to change anything. Leave the nginx / apache listening to port 80. The connection between your web server and Cloudflare will be left like it is. It is the connection between the user and Cloudflare that gets encrypted.
However Cloudflare advises still to user encryption between Cloudflare and your server (there is another way in doing things :) -> bellow )

Forcing SSL

First of all there is a setting in the Crypto page on your Cloudflare control panel that says SSL (with SPDY) - it's important to do it right otherwise you could mess up your connection to the site ( the way I did, when I didn't read the documentation ). Here is how they explain the setting:
cf ssl settings As you can see this means if you have a encryption (bought) and you want to secure the server <- -> nginx path, you can force it this way.
My suggestion is to LEAVE it on Flexible. You can modulate it on your web server or force it with page rules as I will explain now.
As your probably know Google really likes sites with SSL. So what I did for my open-source, private and charity web sites (those not generating profit to pay for SSL) was forcing Cloudflare's SSL within their page rules.
You need to go to your Page Rules page and add new page rule like the one on the picture.
ssl page rule Just use your web URL: *yourwebsite.com/* and select the option Always use https
As extreme measures, you could apply to feel better protected are blocking direct access to all IP addresses except the Cloudflare's. This way only Cloudflare could access your web server directly ( all clients access Cloudflare anyway ). IMPORTANT: This means your DNS must be pointed to your server IP and have the orange cloud selected - otherwise, do not do this. You can find here the actual Cloudflare's IP ranges: https://www.cloudflare.com/ips/
The list bellow could be outdated when you read this.

IPv4
  • 103.21.244.0/22
  • 103.22.200.0/22
  • 103.31.4.0/22
  • 104.16.0.0/12
  • 108.162.192.0/18
  • 141.101.64.0/18
  • 162.158.0.0/15
  • 172.64.0.0/13
  • 173.245.48.0/20
  • 188.114.96.0/20
  • 190.93.240.0/20
  • 197.234.240.0/22
  • 198.41.128.0/17
  • 199.27.128.0/21
IPv6
  • 2400:cb00::/32
  • 2405:8100::/32
  • 2405:b500::/32
  • 2606:4700::/32
  • 2803:f800::/32

Whitelist Cloudflare using Apache 2.2

    Order deny,allow
    Deny from all
    Allow from 199.27.128.0/21
    Allow from 173.245.48.0/20
    Allow from 103.21.244.0/22
    Allow from 103.22.200.0/22
    Allow from 103.31.4.0/22
    Allow from 141.101.64.0/18
    Allow from 108.162.192.0/18
    Allow from 190.93.240.0/20
    Allow from 188.114.96.0/20
    Allow from 197.234.240.0/22
    Allow from 198.41.128.0/17
    Allow from 162.158.0.0/15
    Allow from 104.16.0.0/12
    Allow from 172.64.0.0/13
    Allow from 2400:cb00::/32
    Allow from 2606:4700::/32
    Allow from 2803:f800::/32
    Allow from 2405:b500::/32
    Allow from 2405:8100::/32

Whitelist Cloudflare using Apache 2.4

<RequireAll>
    Require all denied
    Require not ip 199.27.128.0/21
    Require not ip 173.245.48.0/20
    Require not ip 103.21.244.0/22
    Require not ip 103.22.200.0/22
    Require not ip 103.31.4.0/22
    Require not ip 141.101.64.0/18
    Require not ip 108.162.192.0/18
    Require not ip 190.93.240.0/20
    Require not ip 188.114.96.0/20
    Require not ip 197.234.240.0/22
    Require not ip 198.41.128.0/17
    Require not ip 162.158.0.0/15
    Require not ip 104.16.0.0/12
    Require not ip 172.64.0.0/13
    Require not ip 2400:cb00::/32
    Require not ip 2606:4700::/32
    Require not ip 2803:f800::/32
    Require not ip 2405:b500::/32
    Require not ip 2405:8100::/32
</RequireAll>

Whitelist Cloudflare using NGINX

server {
    #more configuration
    .. 

    # IPv4
    allow 199.27.128.0/21;
    allow 173.245.48.0/20;
    allow 103.21.244.0/22;
    allow 103.22.200.0/22;
    allow 103.31.4.0/22;
    allow 141.101.64.0/18;
    allow 108.162.192.0/18;
    allow 190.93.240.0/20;
    allow 188.114.96.0/20;
    allow 197.234.240.0/22;
    allow 198.41.128.0/17;
    allow 162.158.0.0/15;
    # IPv6
    allow 2400:cb00::/32;
    allow 2606:4700::/32;
    allow 2803:f800::/32;
    allow 2405:b500::/32;
    allow 2405:8100::/32;
    deny all;

    .. 
    #more configuration
}

Whitelist Cloudflare using ip-tables

Article: https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-

If you block all other sources it doesn't really matter if you had encrypted the connection between the server and Cloudflare.

They have regular compatibility:

compatibility

Sample SSL information for a certificate issued on free client:

ssl info ssl info

More here: https://blog.cloudflare.com/introducing-universal-ssl/
Information images courtesy of: https://community.centminmod.com/

Tsvetan "Cv3" Topalov

I am full-stack developer by mind and saas ninja by heart. If you want to share some thoughts @tsvetowntopalov (NSFW: I express my thoughts and heart here you might feel offended at some point.)

loopback

Subscribe to Tsvetan Topalov's Personal Space

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!