CloudFlare settings

[marklcfc]

1 hour ago, Jim M said:

Regarding caching, just what I mentioned here:

For cloudflare in general do you change anything else, I'm looking at auto minify in speed settings and wondering if that should be enabled?

[Jim M]

CloudFlare is such a wide topic, I moved this to our Community Support forum where you can ask questions to other administrators who may be using it.

CSS and Javascript are already minified by our software so you do not need to do that.

[marklcfc]

Should ‘Always use https’ be on in the edge settings?

[Randy Calvert]

No, as long as you have your conf_global.php set to HTTPS, this is not needed. (It should not hurt, but no help really.)  I would enable HSTS though so the browser itself rewrites any non-secure request to HTTPS before it gets to CF. 

[marklcfc]

31 minutes ago, Randy Calvert said:

No, as long as you have your conf_global.php set to HTTPS, this is not needed. (It should not hurt, but no help really.)  I would enable HSTS though so the browser itself rewrites any non-secure request to HTTPS before it gets to CF. 

Should I enable HSTS even if that is set in conf_global?

[Randy Calvert]

9 minutes ago, marklcfc said:

Should I enable HSTS even if that is set in conf_global?

Yes.  Here's why:

When someone makes a request via HTTP for the resource, it's directed to the server.  That very first request is over HTTP until the server rewrites it into HTTPS.  The conf_global will keep it in HTTPS, but that initial load may be over HTTP until upgraded.  

HSTS tells the BROWSER don't allow this.  For a period of time (say 6 months), the browser will automatically upgrade any HTTP connections to HTTPS for the domain.  

Basically it's enabling the encryption BEFORE it actually reaches the server (meaning CF in this case).   If you're doing this, you never need CF to handle forcing SSL.  It happens via HSTS and stays that way via conf_global.php in your file paths.  

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Edited October 25, 2022 by Randy Calvert

[marklcfc]

If I've got an SSL certificate bought from my hosts and set up on my server what do I need to put into Edge certificates?

Would I just select the free Universal SSL basic certificate?

[AlexWebsites]

I've deployed this guest caching rule via cloudflare free plan:

Anyone have ARGO enabled? Issues?

 

3 hours ago, marklcfc said:

If I've got an SSL certificate bought from my hosts and set up on my server what do I need to put into Edge certificates?

Would I just select the free Universal SSL basic certificate?

For SSL, I have them on my server and with cloudflare have it like so:

[marklcfc]

32 minutes ago, AlexWebsites said:

For SSL, I have them on my server and with cloudflare have it like so:

Do you have anything in SSL/TLS > Edge certificates section?

[Randy Calvert]

3 hours ago, marklcfc said:

If I've got an SSL certificate bought from my hosts and set up on my server what do I need to put into Edge certificates?

Would I just select the free Universal SSL basic certificate?

Edge certificates would be the certificate served to users when they access your site through CF. The certificate from your host is called an origin certificate. 

Just use the free universal certificate. It’s valid and works fine. 

[AlexWebsites]

11 minutes ago, marklcfc said:

Do you have anything in SSL/TLS > Edge certificates section?

Just the universal

[marklcfc]

2 minutes ago, Randy Calvert said:

Edge certificates would be the certificate served to users when they access your site through CF. The certificate from your host is called an origin certificate. 

Just use the free universal certificate. It’s valid and works fine. 

So do I put nothing in the Origin certificate area as I have one set up on my server?

[Randy Calvert]

43 minutes ago, AlexWebsites said:

I've deployed this guest caching rule via cloudflare free plan:

Anyone have ARGO enabled? Issues?

 

For SSL, I have them on my server and with cloudflare have it like so:

Argo is a paid addon. So be aware if you enable it that there are extra costs. There is nothing special you need to use to enable it. Just check the box and agree to pay. What it does is create a second caching layer. When an edge server does not have an object it can try a “regional” server to get a cached object instead of going all the way back to origin for it. 

Regarding SSL… if you have a valid origin certificate, use Full encryption. It means CF will check to make sure there is a valid cert at edge AND origin. If not, it will fail the request and return an error.  Flexible means it will ignore origin cert check. So if you don’t have a cert, use the Flexible setting.  Strict will check for a valid cert that is not expired and with a valid Certificate Authority. 

5 minutes ago, marklcfc said:

So do I put nothing in the Origin certificate area as I have one set up on my server?

Ignore this if you don’t have a self signed cert that you want trusted by CF’s strict mode. 

[marklcfc]

19 hours ago, Randy Calvert said:

Argo is a paid addon. So be aware if you enable it that there are extra costs. There is nothing special you need to use to enable it. Just check the box and agree to pay. What it does is create a second caching layer. When an edge server does not have an object it can try a “regional” server to get a cached object instead of going all the way back to origin for it. 

Regarding SSL… if you have a valid origin certificate, use Full encryption. It means CF will check to make sure there is a valid cert at edge AND origin. If not, it will fail the request and return an error.  Flexible means it will ignore origin cert check. So if you don’t have a cert, use the Flexible setting.  Strict will check for a valid cert that is not expired and with a valid Certificate Authority. 

Ignore this if you don’t have a self signed cert that you want trusted by CF’s strict mode. 

It's still a bit confusing... I have a RapidSSL bought through DigiCert, installed on my server. Does this mean I have to use Full encryption?

Also should I still ignore the Origin certificate section?

[marklcfc]

Also should I continue to use things like Redis and opcache if using Cloudflare?

[Randy Calvert]

6 hours ago, marklcfc said:

It's still a bit confusing... I have a RapidSSL bought through DigiCert, installed on my server. Does this mean I have to use Full encryption?

Also should I still ignore the Origin certificate section?

Think of the data flow like this:

End User —> Cloudflare —> Origin

In a reverse proxy scenario, there are two legs to address… End User to CF. (This is the “edge”.)  A user’s request actually terminates there and CF handles this encryption. 

But there is also the communication between CF and your server.  (This is the “origin”.)  If a request is not in cache or not allowed to be in cache (like for a logged in user), CF will have to retrieve it from origin. 

In this case, your origin server is responsible for SSL. If you have a valid cert, and plan to keep a valid cert on the origin… you can use full encryption. It’s saying both legs of the trip MUST be properly encrypted. If not, throw an error. 

Flexible SSL says only the communication between User to Edge must be encrypted fully (which CF takes care of) but that for the back half of the journey, you don’t HAVE to present a valid cert. You can but it’s not required. Cloudflare will ignore certificate warnings or if a cert if not presented. 
 

The reason this setting exists is to help mitigate potential Man-In-The-Middle attacks. If you don’t have SSL enabled, something between you and the server (or something between CF and your server) could possibly read the request if it wanted to because it’s not encrypted. 

For small gaming sites, this may not matter. But if you were handling sensitive financial transactions, you might want to ensure full encryption for the entire request flow instead of just one part of it. 

So you don’t HAVE to use “Full” encryption. You have the option to do so since you have a valid certificate. If you however did not have a certificate at origin, you would get an error if you used “Full” since it would be impossible to fully encrypt the request flow on both segments. 

Regarding the ORIGIN section of the SSL area, you can ignore it. It allows you to import your own self signed SSL certs or for you to use a CF provided origin cert at origin. (That cert is only trusted by CF, not regular browsers.)  It’s only needed by those that actually sign their own SSL certificates instead of using ones issued by full certificates issuers (called Certificate Authorities or CA’s).

Edited October 27, 2022 by Randy Calvert

[Randy Calvert]

4 hours ago, marklcfc said:

Also should I continue to use things like Redis and opcache if using Cloudflare?

While it won’t break anything to keep the existing setup… you won’t get much overall value in my experience. I would PERSONALLY turn them off to simplify the experience and have less things there to possibly go wrong.

Unless the feature is actually helping something, I would not really force its use. 

[marklcfc]

For the cache rules part how long is that set as? In the guest page cache I could set it to 30 seconds in Invision but what is this on Cloudflare?

[Randy Calvert]

Set the cache to honor origin.  IPB will set appropriate cache control headers. 

[marklcfc]

1 hour ago, Randy Calvert said:

Set the cache to honor origin.  IPB will set appropriate cache control headers. 

Ok, I don’t want something like 5 minutes though

[Randy Calvert]

With the Cloudflare cache, you can either respect cache control headers, or override them.  However the minimum time you can set in an override on the free and pro plans is 1 hour. 

To be honest unless your site is like CNN, you get no real value from 30 seconds. You would need a hugely trafficed site for it to be worth having a cache value that low. Remember reach region has its own cache. Meaning Chicago’s cache is separate from LA which is different than NYC. 

Edited October 28, 2022 by Randy Calvert

[marklcfc]

I set it to 30 seconds else guests ended up not seeing the latest posts for 5 minutes. 

Does this mean guests will not see the latest posts on cloudflare now? if so it’s not an option  

[Randy Calvert]

Cloudflare will only allow you to respect the cachability headers from origin or 1 hour, 2 hour, 3 hour, etc. 

But again if you’re setting 30 seconds, you’re not getting any value anyway honestly.  Just forget about caching period because I can almost guarantee it’s not giving you value. 

Edited October 28, 2022 by Randy Calvert

[opentype]

4 minutes ago, marklcfc said:

Does this mean guests will not see the latest posts on cloudflare now? if so it’s not an option  

A) You need the weigh the pros and cons. You get a faster site with no server resources used vs. the content is not fully up to date. 

B) You decide which parts you exclude from the cache. For example: you could cache everything but let the activity feeds (or whatever your users use to see new content) be excluded and therefore up to date. 

I am using the Cloudflare cache since this week and I have set it to 12 hours. But my content isn’t time sensitive in any way. Guests seeing new content with a delay of several hours is no real problem. And of course it’s not like the content is inaccessible. A social media link to a new article would of course still work. 

[marklcfc]

1 minute ago, opentype said:

A) You need the weigh the pros and cons. You get a faster site with no server resources used vs. the content is not fully up to date. 

B) You decide which parts you exclude from the cache. For example: you could cache everything but let the activity feeds (or whatever your users use to see new content) be excluded and therefore up to date. 

I am using the Cloudflare cache since this week and I have set it to 12 hours. But my content isn’t time sensitive in any way. Guests seeing new content with a delay of several hours is no real problem. And of course it’s not like the content is inaccessible. A social media link to a new article would of course still work. 

My topics need to be up to date with latest posts available to guests