Cloudflare Flexible SSL


#1

Hi @sulliops and other Mods here,

I am a Regular on the Cloudflare Community and am just writing about your tutorial on using Cloudflare SSL for a 000webhost website. This is due to the fact that we have had quite a few questions recently on community.cloudflare .com referring to this guide.

www.000webhost .com/forum/t/how-to-use-cloudflare-for-ssl/53612

This tutorial asks users to set their SSL mode to Flexible in Cloudflare, I appreciate that as this a free webhost, features are limited and an SSL certificate cannot be installed on the server here, hence why Flexible is recommended. I think, however, you should make it clear to your users that, although this can make a website appear secure in a browser, it is very misleading to visitors and the connection is not fully encrypted, hence the website is not actually secure.

I ask that you inform your users of this and possibly link to this community wiki article on the Cloudflare Community explaining the details about Flexible mode.

Thank you for your understanding and I hope you will ensure that your users reading the guide are aware of this.


#2

Hey there,
We’ll pass that onto @sulliops


#3

Thank you very much, @ckhawand.


#4

Hi, thanks for posting. I haven’t visited the Cloudflare forum in a while, actually, so I haven’t seen any of these related posts. It’d be great if you could link a few for me!

In response to the idea about the insecurity of the flexible setup, you’re absolutely right. When I made this guide, it was to prove that SSL could be used with 000webhost, back before I was even on the staff here. Ultimately it was because I was obsessed with having the latest technology (the SSL lock, in this case).

However, as you’ve stated, it isn’t fully secure. This is because the only secure traffic is that which is routed from the client to the Cloudflare servers — the rest is just masked, but insecure. And truth be told I’m just as unhappy about it as anyone else might be, mostly because it could be solved so simply. Except, of course, that Full doesn’t work on our platform, but that will likely never be changed.

So, I’ve edited my tutorial to include a warning about the partial security of the flexible setup. I’d love it if you could refer my changes to anyone asking on the Cloudflare forum, however please be aware that the best marketing strategies suggest that we continue to advise this method (either that or an upgrade to our premium services, which support SSL by default from the origin server).

And thank you so much for bringing this to my attention! Hope this helps!


#5

Hi @sulliops, thank you for replying!

I appreciate that the guide is there (in fact, that is what introduced me to Cloudflare, when I was using 000webhost for a project quite a while ago and followed your guide!). I too, at the time, was just focused on getting the :lock: on my site! We are fighting a losing battle on the Flexible front, so many tutorials don’t explain the issues and just say to set it to that mode! Thank you very much for editing yours and adding a link to my article on the Cloudflare community.

I appreciate that you will still continue to advise that method (as it is the only way on your platform!) but thank you for putting the explanation on there anyway.

I write quite a few tutorials voluntarily for the Cloudflare Community (and spend way too much time on there :joy:), you can see all the tutorials, most of which are written by me, here: community.cloudflare.com/c/tutorials

As well as this, there are some great ‘Community Tip’ resources, including ones with tips for fixing the most common Cloudflare error codes.

I will post a couple of links to 000 related topics on the forums below, I can see that you have an account community.cloudflare.com/u/sulliops/summary, but your bio appears to be a year out of date :joy:, so I can always tag you into 000 topics if you want.

Likewise, if there are any Cloudflare related questions on here, I am happy to be tagged in or you can refer them to community.cloudflare.com :slightly_smiling_face:

This is the latest one that caused this contact: community.cloudflare.com/t/problem-with-mixed-content-after-updating-links-to-https/68002

There have been a few where I refer them to your guide as well like these: community.cloudflare.com/t/how-configure-the-cloudflare-nameservers/55185
community.cloudflare.com/t/can-i-get-full-strict-ssl-certificate-for-free-domain-name/52919


#6

Also… why has my first post in this topic been flagged and hidden?!?


#7

The system bot has flagged your post for some reason.
I have removed the flag.


#8

Thanks, @Infinity!


#9

I’m glad that you’ve enjoyed the tutorial — since I first made it, I think I’ve had to redo it about 2 or 3 times, so it’s always nice to hear that people are putting it to good use.

You seem like a great resource for the people on the Cloudflare Community — personally I wish I was able to get in contact with the people over at Cloudflare, I imagine that with their assistance we could create a working solution that would benefit everybody (however that’s way above my pay grade).

I also haven’t visited the community in so long that my email now marks update emails as spam, so maybe that’s a sign that I should head back there and check things out again.

Also, yes, notification emails are being spotty. We’ve been bugging the devs about fixing all this but they seem just as puzzled as we are — we have a very custom Discourse setup working here and whenever it bugs out we have to delve into the source code and figure out what the issues are (and by we I mean the people who get paid to listen to us annoy them about our problems). So sorry I didn’t see this for so long!