New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
If I'm using Cloudflare Free, can I use PositiveSSL?
I'm using Cloudflare Free to protect my server IP. I was trying to buy a cheap PositiveSSL certificate however it looks like if I'm using Cloudflare Free I only have these options:
- To use their "Free Flexible SSL". (crap)
- To upgrade to their Business plan ($200/mo) so I can upload my own SSL. (no thanks)
- To buy their "Dedicated Certificate" which costs $5/mo.
Regarding option #3, I see that their SSL certificates require SNI sent from the browser... so it means that old computers will become unable to view my site.
So after all, I can't use PositiveSSL if I'm either on the Cloudflare Free/Pro plans? Only option is to either pay $200/mo for their Business plan or buy the SSL certificate from them and say goodbye to Windows XP users?
Thanks,
gapper
Comments
Lets Encrypt?
If the past way they do SSL is the same as now, then you're correct. You need to upgrade or don't use their CDN+SSL over your site. Though why do you say the flexible SSL they provide is crap? If I understand right it's basically SSL from your user to their CDN server, but not the CDN server to your site. This would still technically protect users.
If I'm not using their CDN... only using their DNS service, can I then use my own SSL?
Yes, their flex SSL only works if you enable CF on your domain.
CF is enabled on my domain... but I'm just using it to hide my server IP. I'm not using CF caching however yes, CF is on for my domain.
I'm not sure how to proceed... should I buy a Comodo SSL ($5/year) or should I buy a SSL cert directly from CloudFlare ($5/mo)?
I'm not sure if my Comodo SSL would work having CF enabled for my domain.
Is the "crap" part that it uses SNI, or that other domains are on the certificate?
I have tried to buy a dedicated cert from cloudflare and it's also "crap". It will be dedicated but will work just like the shared one unless you have Pro or Business.
I use SSL fine; however, you must make sure that you pause the website. Then you must go to dns and make sure that the orange cloud is checked off in order to use it for dns only. That way you are not using the main service (CDN) but only the DNS. God bless you!
CDN hides your server IP, simply that. Nothing to do with caching.
So yes, you are using their CDN, not just DNS.
a CDN ist a content delivery network, please don't post things where you have no clue from, simply that.
using cloudflare strict and flex and it is a very nais simple and complete free solution, you just need to handle it, which clearly the most can't do here.
please don't post things where you have no clue from, simply that.
Sure. Then why did you post?
Please kindly get yourself a Cloudflare account and get a domain running behind their service so you can have some basic understanding of how they work.
Maybe xylon is one of those who want to stress out that a CDN should just be a CDN and that CF offers a reverse proxy which accidentally could be a CDN; anyway the context was pretty clear
or maybe he just knows about the strict/flexible price tag and not really how CF works
anyway, if your main goal is to hide your ip please keep in mind that there are other simple ways to get your ip, working in most cases unless you've been really careful (from old dig data to mx entries and whatnot, there are even sites keeping track of those changes for IPs "hidden" behind CF); I feel like many seek a protection they don't really need (or, they don't need in that way)
CF is a MiTM-as-a-service so if you have any issue with CF intercepting your encrypted traffic you shouldn't use CF at all, no matter the plan
If you decide to use only their DNS service you can use whichever TLS cert you want, it won't be different from using any other DNS service (except that they are exceptionally good in the DNS game)
No, business is also SNI as is pro. CF does not do dedicated IPs in a traditional sense, which can be annoying.
Debian. Thx
If I am understanding this, you should not have an issue using CF with your own SSL if you are only using their DNS. In fact, I do this all the time. The flow is like this:
No you cannot check below image.
You need to upgrade to Business or Enterprise level to use custom SSL certificate.
"Cloudflare - Making People Confused since 1788"
Are you sure about that? My Pro sites can be browsed with browsers who do not support SNI and SSL Labs shows no warning message, that you can only browse the site with browsers who support SNI.
https://www.ssllabs.com/ssltest/analyze.html?d=high-minded.net&s=104.25.31.5&latest
I investigated and have the answer.
CF free certificates are SNI however if you switch to Pro (or higher) you get a functionality that makes CF detect if you are using a non-SNI compatible system and switch back to a non-SNI certificate so you can browse it.
Their paid certificates ($5/mo/domain) are SNI.
If you want to use your own certificates you need to be Business ($200/mo/domain) or Enterprise ($5000+/mo/domain).
/thread
must you use cloudflare dns? like mfs said, there are lots of better services out there (just search 'free dns' for a list). other services generate free non-SNI ssl like let's encrypt, for example cloudbric and kloudsec
Interesting - Pro seems SNI with fallback (i see that on my 20$ site, which should be normal pro?), enterprise (we have the usual 3k$ plan) is not SNI but not dedicated IPs (my confusion, enterprise never was SNI and would not make sense either).
Not really cert based thing though, if you only have 1 IP you will end up with secondary names, ports or SNI by force.
Kloudsec has already been shut down.
Why do you even want a paid cert. Just use the cloudflare SSL or a letsencrypt host.
Simple.