Force Discourse to use SSL/HTTPS through CloudFlare


(David O'Dea) #1

How to use CloudFlare’s platform to force all traffic over HTTPS connection using page rules.
This is an up to date and user-friendly (fool-proof) way that I use each time and it works perfectly.

Sign up to CloudFlare here - they offer SSL/HTTPS on their Free plan, so that will be just fine for us.

Add your site here - the system will scan for DNS records, make sure all are correct and add any records not picked automatically by the scan i.e. MX records.

You will the have to add the CloudFlare nameservers to your domain. This can be done with whoever your purchased your domain with on their control panel - differs for each provider - some examples:
-GoDaddy: here.
-Namecheap: here.
-Bluehost: here.

Once your nameservers have been successfully edited (you can check this by opening a terminal and issuing the command:
whois yourdomain.com) towards the bottom of the output you should see CloudFlare’s nameservers:

Name Server: LARA.NS.CLOUDFLARE.COM
Name Server: GABE.NS.CLOUDFLARE.COM

Now we can head back to our CloudFlare control panel for your new site:

Click on the page rules section from the icon menu. Click on create page rule and fill in as follows:

Enter your domain i the format as in image above: http://*yourdomain.com/* this will force all sub-domains (the * before the domain) and sub-directories (the * after the domain) to use HTTPS.

Click on “add setting” and choose “Always use HTTPS” from the drop down menu. For “Order” yo can leave as “First”.

Click on “Save and Deploy”.

The setting may take up to 15 minutes to take effect, but then all your traffic should re-direct to https://yourdomain.com .

NOTE:
In order to maintain full HTTPS (green padlock) you will need to go to Discourse settings (/admin/site_settings/category/required) and search for all settings containing http://..../.... and change the links to https://.../.... .

You can check SSL status at: SSL Server Test (Powered by Qualys SSL Labs) :

NOTE:
As noted by @mpalmer below:

… In order for the connection between Cloudflare and your origin to be similarly secure as the connection between the browser and Cloudflare, you need to setup SSL on the origin server, too.

For setting up SSL on your server:


How Exactly should I add cloudflare CDN to discourse?
Free Cloudflare + Discourse
Install Paid SSL with Cloudflare on Discourse
Free Cloudflare + Discourse
(Matt Palmer) #2

You appear to be missing the steps where you setup TLS between Cloudflare and your origin. That somewhat defeats the purpose of using HTTPS in the first place, and in fact provides a false sense of security for site visitors.


(David O'Dea) #3

I was under the impression that enabling/enforcing from the cloudflare side would suffice.
Could you elaborate ?


(Matt Palmer) #4

When you put a proxy such as Cloudflare into the connection path, said proxy needs to be able to decrypt the HTTPS traffic into plain HTTP so that the proxy can do its business (sending cached responses, filtering out shenanigans, etc). This means that the HTTPS connection is actually terminating on Cloudflare’s servers, and then another connection is being made to your server (the origin). In order for the connection between Cloudflare and your origin to be similarly secure as the connection between the browser and Cloudflare, you need to setup SSL on the origin server, too.

Personally, I find the fact that Cloudflare allows this misleading setup to be deeply disappointing. They’re making the claim, “yes, your activities can’t be trivially monitored” (to those few users who look for the padlock, anyway), but in actual fact everyone between Cloudflare and your origin can see everything. Worse, because Cloudflare’s DCs are a choke point for a lot of traffic, sitting just outside Cloudflare’s DCs and capturing everything is probably going to get you a lot more interesting stuff than sniffing any but the largest transcontinental links.


(David O'Dea) #5

Thanks that @mpalmer i’ll be sure to edit OP to reflect.


(Abdulwahab Suleiman) #6

Hi, thanks very much for this article.

I came across your post last week and implemented the above steps on my blog but after two days of applying my flexible SSL certificate was still pending. I contacted their support and they explained the delay wasn’t from their own end.

I later came across another article on Let’s Encrypt free SSL. I implemented the steps and it was like magic.

Check my blog https://www.wiki212.com/

The let’s encrypt SSL is active though will have to renew it every 3months.

Thanks again for the great piece.


#7

The page rule is no longer necessary. You can switch on both forcing of https and rewriting http to https requests with a toggle :sunglasses:

Both can be found on the crypto settings page.

And:


(David O'Dea) #8

Cool, glad it helped and yes Let’s Encrypt SSL’s are a great convenience.