FidoSysop Blog

CloudFlare Universal SSL Here Are Some Helpful Tips

CloudFlare just added their Popular Universal SSL to free accounts.

Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. CloudFlare SSL provides state-of-the-art encryption between browsers and CloudFlare’s edge servers keeping web traffic private and secure from tampering.

“I’ve been using CloudFlare flexible SSL with the pro plan for a few months. And to be honest it was a PITA getting my pages secured showing the browser padlock since this was my 1st venture using SSL. So here are a few useful tips to anyone that’s taking advantage of CloudFlare free SSL.”

Getting started using SSL.

Update 01/19/2015: I wrote this article when CloudFlare first offered their free https. Since then i have came up with a good way to offer both http and https protocols to my blog visitors. Here is my article showing how to enable protocol relative in WordPress.

The 1st thing you need to do is under CF settings for the domain you want to add ssl to, scroll down close to the bottom of the page and under the ssl settings be sure you select “flexible ssl.”

CloudFlare Flexible SSL Toggle

CloudFlare Flexible SSL Toggle

Next you need to go to Page Rules. CloudFlare does not automatically force ssl on your domain. To do this you want to add a forwarding rule.

CloudFlare SSL Page Rule

CloudFlare SSL Page Rule

I’m on the pro plan so the above option to “always use https” is not showing in the free plan as of this posting. Here is a screen shot of the page rules on a CloudFlare free account.

CloudFlare Page Rules List Of Available Options

CloudFlare Page Rules List Of Available Options

To enable the SSL (https) for your domain create a forwarding rule.  The easiest way to do this is in the url pattern box type http://*.yourdomain.com/* and click the forwarding switch to ON. Next is to create your destination url. This time type https://$1.yourdomain.com/$2 that will forward ssl to all pages and subdomains to their ssl equivalents.

Or if you use www.yourdomain.com with no subdomains that could be http://www.yourdomain.com/* to https://www.yourdomain.com/$1 which only covers the www. Here is CloudFlares official help page for page rules.

So once you get SSL pointed to your website – here where the fun begins if your new to secured socket layer. Getting a page not secure warning can be caused by many things.

“Remember it may take several hours for CloudFlare to add your domain to it’s ssl pool.”

Most errors are caused by “some content” in a page is not secure.  The most common problems are with images that are not secure. In an image url http://image.jpg simply change it to //image.jpg will do the trick.  This is also required for older YouTube imbeds. Simply do them as you do the image above. That’s the greatest majority of problems i have had.

Running WordPress? First thing to do before you enable your page rules on CloudFlare is to install and activate the plugin WordPress HTTPS by Mike Ems. I’m using WordPress 4.0 on this blog and it works fantastic, despite being last updated in 2013. In the plugin settings, select force https admin, and also toggle proxy to automatic. This should get your WordPress blog fired up under ssl.

You will no doubt get some mixed insecure item warnings. I found out my favorite plugin (Nrelate) is not ssl compatible, so it had to go. Check any images and videos for insecure urls.

This website is real handy to drill down what is causing an insecure browser warning. Why No Padlock Pulling your hair out trying to find out why your secure page is not fully secure? Here’s a simple tool that will tell you about any insecure items on your SSL page.

Any questions? Comment below. 😉