How to choose: free Cloudflare or free https?

design

#1

In its recent announcement, Dreamhost just proposed free https for the website. There was a catch: CloudFlare must no longer be enabled (free). If I want to minimize hosting costs, is it better to keep free CloudFlare or should I disable CloudfFare and enable free https ? TIA


#2

You might be interested in this http://www.zdnet.com/article/google-confirms-its-giving-https-sites-higher-search-rankings/#!
Thus having https would be better if web ranking is important… whereas CloudFlare would be better if web site speed is more important.


#3

Thanks Monjo. Put this way, ranking being unimportant to me and speed being appreciated by users, I would cast two votes (out of two) for the status quo, whereby the abeille cyclotourisme website (a bicycle club website) is http (non-encrypted) and assisted free of charge by Cloudflare for more speed. However, what about security ? Beyond lower ranking by Google, what are the other negatives of opting for a non-encrypted website ? TIA


#4

I’m using Cloudflare and added Let’s Encrypt to some domains/subdomains.

  1. I was using the DH self-signed certs and set Cloudflare to Full SSL (not Strict). That was fine with me, as the Cloudflare Universal SSL presented a legit cert to my users.
  2. I paid for some Comodo certs here and switched those domains to Full SSL (Strict) at Cloudflare.
  3. With the recent Let’s Encrypt, I installed on my low-use site that’s behind my free Cloudflare site (all my other Cloudflare domains are Pro plans).
  4. I tried installing Let’s Encrypt on some subdomains (also on Cloudflare Pro), but they failed. After some back and forth with DH Support, something magic happened and I was able to install Let’s Encrypt on any domain I have…especially my Cloudflare ones.

The takeaway from this is that even with Cloudflare, I was able to get Let’s Encrypt installed.


#5

Thanks sdayman (grizzled veteran) for this excellent new. In spite of what DH states in the configuration panel as I saw it, event if I continue to use the free Cloudflare services (the value to users of which I have never ascertained), I can elect to also use Let’s Encrypt certificates (https) for no additional fee. Not sure what sort of magic is involved but I read your stating there is a legit way, if assisted by DH Support.

I forgot to mention that the “abeille-cyclotourisme.fr” website does not elect for an assigned [for pay] fixed IP as none of the users, nor me, would understand the trade-off/care about this. That being said, can I assume there might be a legit way worth pursuing, if assisted by DH Support, to maintain for abeille-cyclotourisme.fr the free Cloudflare services and add on top of it a free https access via Let’s Encrypt ?

This still leaves me uncertain about the value to my users and to me on their behalf of a https connection as the abeille-cyclotourisme.fr website (1) is fully public (no private/secret zone reserved for members nor anyone else) and (2) does not handle nor broker for any money. In a nutshell, no big secrets are involved IMHO.


#6

To clarify my Step 4, DH Support quoted the party line that Let’s Encrypt wouldn’t work with Cloudflare. The Support person had tried a few things and still couldn’t get it to work. However, it turned out that it really did work. So I tried it on my other subdomains and it worked. I first deleted my existing self-signed certs, then added Let’s Encrypt to them and it worked without a hitch.

To clarify my Step 3, it worked just fine before I ever contacted Support.

I use HTTPS because it’s nobody’s business what users are doing on my sites. If you’re on someone else’s network (i.e. public WiFi), they have access to your HTTP traffic. They could even be so bold to hijack the traffic for a man-in-the-middle attack.

I use Cloudflare primarily for the caching performance. An equally, if not more, important reason is that Cloudflare protects my WordPress sites from malicious attacks. My sites run Wordfence, and hardly a blip of abuse ever pops up in the Wordfence logs.


#7

Thanks sdayman.

I read your step 3 as stating you installed Let’s Encrypt on a subdomain that was a subdomain of your free Cloudflare site but that you did not try to install Let’s Encrypt on your free Cloudflare site itself: on the main domain. I may have mis-read.

I read your step 4 as all applying, also, to subdomains of a main free Cloudflare enabled domain.

That being said, my set-up seems different in that I have one free Cloudflare enabled site, which is the main domain. I have two subdomains to the main domain, not Cloudflare enabled according to the control panel, but these two subdomains are sandboxes for test only, not used in any sensible way (not used at all, in fact). So only my main domain (abeille-cyclotourisme.fr) matters to me. It is free Cloudflare enabled and does not have unique IP.

I have just tried to enable Let’s encrypt on the main domain, free Cloudflare enabled. The control panel wants me to select a for pay Cloudflare plan (9.95$/mo), failing which, event when I click the “Sign certificate” tick box, nothing happens when I click the “Add now” button.

If I got this right, the difference between our two settings is that in your case the main domain, free Cloudflare enabled, is not containing your websites. All your websites seem to reside in sub-domains.

To apply to my situation, to make my settings work as yours, should I need to transfer my website from the main domain to a sub-domain, to which I would then add a Let’s Encrypt certificate without adding Cloudflare ? TIA


#8

All of my domains and subdomains are behind Cloudflare. My few subdomains are my sandboxes or auxiliary sites. What may be different is that they’re all behind the “orange cloud” so they’re cached. I don’t think that would affect the situation since everything is using Cloudflare DNS. My parent domains use a paid cert. My subdomains were using a self-signed cert before Let’s Encrypt started working for me.

Not knowing the mechanics of the Let’s Encrypt installation makes it difficult to troubleshoot.

What I’m just now seeing is that you have “Cloudflare Enabled” ticked in your panel. I do not. Not a single one. I did it all manually a year ago:

  1. I went to Cloudflare and added my domains.
  2. Cloudflare pulled all the DNS data from DreamHost.
  3. I updated my WHOIS info to use the Cloudflare Name Servers as instructed on my Cloudflare account.
  4. Cloudflare detected this and then started working.

Try the above first. I wouldn’t recommend switching your sites between parent and subdomains.

The bottom line is that what I had was working fine. Cloudflare’s Universal SSL provided me a valid certificate for parent and subdomains. With the self-signed certs at DreamHost, I had Cloudflare set to Full SSL (not strict). I just wanted a 100% certificated path so I could use Full SSL (Strict) on everything.


#9

I first deleted my existing self-signed certs, then added Let’s Encrypt to them and it worked without a hitch.


#10

Thanks LindatX52 and sdayman. I did not follow sdayman’s, or your advice in spite of their probable excellence, because the website I hosted on Dreamhost is already far too complex for me. The Domain name abeille-cyclotourisme.fr is hosted by Bookmyname in France where I must because it is a .FR name. The site is hosted by Dreamhost wherever it is in California because I like this host’s style. The Dreamhost servers knows about the domain name from bookmyname through a hairy process I succeeded to configure once but do not dare to tamper about. Last I activated Cloudflare from the Dreamhost control panel. Now, I do not dare to activate Cloudflare directly and to subsequently do the DNS redirection or whatever it is you both suggest. So, in view of the fact the Dreamhost control panel wants me to pay extra money to continue taking care of the heavy lifting on the Cloudflare side, I prefer to give up on the ability to use a https connexion for this website. Seems better to me than losing the Cloudflare extended reach. Thank you.


#11

Hello. On 02-02-2016, sdayman indicated above a quite clear process to activate free https and free Cloudflare:

1) I went to Cloudflare and added my domains. 2) Cloudflare pulled all the DNS data from DreamHost. 3) I updated my WHOIS info to use the Cloudflare Name Servers as instructed on my Cloudflare account. 4) Cloudflare detected this and then started working.

I am chickening out. If this can be of use to anyone here, I am starting to move and post the steps here.

This morning I went to the Dreamhost control panel and unplugged Cloudflare from the domain abeille-cyclotourisme.fr, hosted by Dreamhost and, so far, protected (proxy-ed I presume) by Cloudflare via the Dreamhost control panel. Nothing of significance happened. I will be waiting like that for possible horror stories for 48 hours.

Since I have a Cloudflare account, with (now) no domain on it, I visited Cloudflare, Dreamhost (host) and Bookmyname (domain name registrar). Following the quoted lines of sdayman,

  1. “I went to Cloudflare and added my domains”. Seems easy to do, I tried it with my bare hands.
  2. “Cloudflare pulled all the DNS data from DreamHost”. Yes, they did that to me and more, seems easy even to me.
  3. “I updated my WHOIS info to use the Cloudflare Name Servers as instructed on my Cloudflare account”. Cloudflare gives precise instructions. I checked feasibility of implementation with Bookmyname. Seems easy to do even by me (did not do it though). I then cancelled the Cloudflare registration process. So the website is currently no longer Cloudflare enabled.
  4. “Cloudflare detected this and then started working”.

After all, this seems feasible even to me. The website would be run with the help of not three but four companies: Bookmyname direct for domain name (for pay), Dreamhost direct for hosting (for pay), Google for mail direct but through Dreamhost control panel (free, maybe due to Dreamhost contract with them) and Cloudflare direct if I implement that (for free). A lot, but doable.

48 hours from now, I intend to implement free https on the Dreamhost CP and post news here. Then… maybe… Cloudflare again.


#12

I implemented free https this morning (March 18) on the Dreamhost control panel. It works.

With https://abeille-cyclotourisme.fr, the site responds, with a padlock. The padloc is green on Firefox.

With http://abeille-cyclotourisme.fr and http://www.abeille-cyclotourisme.fr, the site responds also, but without the padlock.

48 hours from now, I intend to attempt setting up Cloudlflare again, this time directly from my Cloudflare account, and post news here.


#13

in the end you didn’t use cloud flare?

do you know that you can have free https from cloud flare?
but you need to register your domain with them and used their name server in your domain.

the only thing you will miss is free the railgun feature with dreamhost cloudflare setup.

you even can get http2 feature for free other then get https.
which in dreamhost it’s only free for VPS user.

you can use the cloudflare chrome plugin called Claire to verify it.


#14

[quote=“alien, post:13, topic:63217”]

in the end you didn’t use cloud flare?

[…][/quote]

Sorry I forgot to mention. First, when I opted for https, I was requested to select either “without www” (remove www from the URL), or “With www”, instead of the option I had selected which said “either option is OK”. I selected the option to remove the www, which had always been my intention but since I had goofed on this setting, the search engines registered http://www.abeille-cyclotourisme.fr. After waiting for about 1 months to permit the search engines to reset themselves to the new address https://abeille-cyclotourisme.fr, which they ultimately did, I came back to the Dreamhost control panel to activate Cloudflare from it (not directly from Cloudflare, for the sake of simplicity).

I nearly succeeded. I received an error message to the effect that addresses must be prefixed by www for the cloudflare proxying to operate. Dreamhost, it appears, is working with Cloudflare to remove this limitation.

So far I am waiting, without anxiety nor urgency. The site now has an https address but Cloudflare is not enabled. Neither https nor Cloudflare are essential to this website. Given the choice, I selected https. I prefer to wait until time is ripe for the easy setting of simply adding Cloudflare on top of the https://abeille-cyclotourisme.fr address.


#15

I know it take long to re-crawl by search engine, but you can make the process faster by directly telling the search engine, how you want to display your site in search engine.
you can set it over here
https://www.google.com/webmasters/tools/home?hl=en

ic, from what I know you can turn on ssl via your provider but you need the premium cloudflare account.
if you want free account but have free ssl you need to change your ns server with cloudflare, yes it will took about 24 hours to make sure all dns is propagated but in my opinion it worth it, since I can use free cdn and also free ssl.

I am setup one of my site using above method.
I like CDN from cloud flare since my target audience is people outside US, it easier to other people from outside US to access it since with cdn it will choose which server the closer to your visitor and also I am also got the http2 from cloud flare, even though I know the real server didn’t use http2 but the cdn have that feature so it should somehow help visitor.


#16

The site is hosted by Dreamhost wherever it is in California because I like this host’s style. The Dreamhost servers knows about the domain name from bookmyname through a hairy process I succeeded to configure once but do not dare to tamper about.