Ssl – use Cloudflare CDN/HTTP proxy for SSL-enabled web-site

cdncloudflaressl

I want to use Cloudflare CDN/HTTP proxy for my web-site that already has HTTPS through LetsEncrypt certificate.
I don't want to use Cloudflare's Free SSL certificate as it doesn't work on WindowsXP and some old browsers. Neither I want to upgrade the plan to pay monthly fees.
If I turn on Cloudflare proxying without enabling their SSL, it keeps redirecting my web-site from HTTPS to HTTP. If I turn on their SSL, I end-up with the limitations of their free SSL certificates.

So, is there a walkaround to use own SSL certificates and benefit from Cloudflare optimizations, CDN, etc.?

Best Answer

Yes, the browser will do HTTPS over HTTP2 to CloudFlare, then they will use HTTPS to your origin server.
This rules out CloudFlare for you. Either accept XP can't access the site or pay for the additional feature.
Yes, that's right.

No, there's no way to do what you want to do, within the constraints you've placed. CloudFlare must terminate the browser session, and if you disable HTTPS it will be HTTP. If you want to use CloudFlare you need to change your requirements or constraints.

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

I have written a pair of how-tos for running Let's Encrypt SSL certs on CentOS: initial setup & cronning it.

And my per-domain (I use the file naming convention of z-<[sub-]domain-tld>.conf) Apache config files look like this:

<VirtualHost *:80>
ServerName domain.tld
Redirect permanent / https://domain.tld/
</VirtualHost>

<VirtualHost *:443>
    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/fullchain.pem
    DocumentRoot /var/www/domain
    ServerName domain.tld
    ErrorLog logs/domain-error_log
    CustomLog logs/domain-access_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ServerAdmin user@domain.tld

    SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    <Directory "/var/www/domain">
         Options All +Indexes +FollowSymLinks
         AllowOverride All
         Order allow,deny
         Allow from all
    </Directory>

</VirtualHost>

And my ssl.conf looks like this:

#SSL options for all sites
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
Mutex sysvsem default
SSLRandomSeed startup file:/dev/urandom  1024
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLCompression          off
SSLHonorCipherOrder     on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Using Let's Encrypt to get SSL certs (and get your site up to an "A" rating from SSL Labs) is pretty straight-forward - once you get past some of the arcana of the Apache configs and LE command-line arguments.

HAProxy SSL – Redirect HTTPS Connection Before SSL Check

Redirection is done at the HTTP level, i.e. after the SSL connection was established. Since establishing the SSL connection includes validating the certificate it is not possible to bypass the certificate check for redirects.

Best Answer

Related Solutions

Let’s Encrypt – How to Use Let’s Encrypt as a Free SSL Certificate Provider

HAProxy SSL – Redirect HTTPS Connection Before SSL Check

Related Topic