Setting Up SSL-Enabled Custom Domains Using CloudFlare
Page last updated:
Note: SSL (HTTPS) will not work with custom domains without the use of third-party SSL termination. Pivotal recommends using CloudFlare for this service.
This topic explains setting up an SSL-enabled custom domain using CloudFlare, a content distribution network. This is the Pivotal-recommended strategy for using SSL with a custom domain. Using this configuration, traffic to and from your application running on Cloud Foundry will be routed via CloudFlare.
Browser < — ssl — > CloudFlare proxy < — ssl — > Cloud Foundry
To enable this, you configure CloudFlare’s “Full SSL” option for the domain. You can use a CloudFlare-generated SSL certificate between the browser and the CloudFlare server, or, if you prefer, configure CloudFlare to use a certificate you provide. A Cloud Foundry-generated SSL certificate is used between the CloudFlare proxy and the application on Cloud Foundry.
These instructions assume that your domain is already registered with a DNS registrar. To complete this procedure, you must be able to access the DNS registrar for the domain. Note that you do not need to change DNS registrars. The only change you make with your registrar is to point the authoritative name servers to CloudFlare’s name servers.
Before starting, download the zone file for the domain from your DNS provider to use in Step 3 - Configure DNS Records.
CloudFlare is a caching and security-as-a-service that protects and accelerates on-line websites. Web traffic is routed through CloudFlare’s global network – this accelerates delivery of static and dynamic content, while blocking threats and limiting abusive bots and crawlers from wasting your bandwidth and server resources. CloudFlare’s SSL termination proxy decrypts incoming SSL traffic and can pass on unencrypted or fully encrypted requests to the app server. Adding your website requires only a simple change to your domain’s DNS settings. SSL Termination is available with any of the CloudFlare plans, including the Free plan. The Free and Pro plans always use a CloudFlare-generated certificate. Business and Enterprise plans add the option to use your own SSL certificate.
Go to https://www.cloudflare.com/plans, select the desired account, and click Sign up now.
On the Select a website page, enter the name of your custom domain and click Add website. CloudFlare will query authoritative DNS servers for the DNS record registered for the domain.
When CloudFlare finishes querying the DNS servers, a Scan complete message appears. Click Continue.
The Configure your records page lists the records obtained from the authoritative DNS servers for your domain. In the row containing your domain name, the cloud icon in the Active column should be orange.
To ensure your DNS records are correct and complete, Pivotal recommends you download the zone file for the domain from your DNS provider, and then upload it to CloudFlare using the Upload a zone file link.
Use the Add button to define additional records, if necessary.
When finished, click I’ve added all missing records, continue.
On the Choose initial settings page, set the following options:
- Choose a plan: Select Free, Pro, or Business. If you choose Free or Pro, CloudFlare will generate an SSL certificate for communications between browsers and the CloudFlare proxy. If you prefer to provide your own SSL certificate, choose Business.
- Performance: This configures a profile that sets the values of
multiple performance-related options.
You can choose any of the available options, and easily change it later.
After completing this configuration process, follow the instructions in
Reviewing CloudFlare Configuration Options to understand the
performance and security options, and tailor your configuration as desired.
- CDN only (safest): This is the default.
- CDN + Basic Optimizations
- CDN + Full Optimizations
Security: This setting controls which visitors are shown a CAPTCHA challenge page. The options are:
- High: Requires a CAPTCHA for any visitors witnessed engaging in malicious behavior on other websites, and challenges visitors based on known malware browser signatures
- Medium: Requires a CAPTCHA for any visitors witnessed frequently engaging in malicious behavior on other websites, and challenges visitors based on known malware browser signatures
- Low: Requires a CAPTCHA for any visitors witnessed very frequently engaging in malicious behavior on other websites
- Essentially off: Only challenges visitors recently involved in significant denial of service (DoS) or hacking attacks
CloudFlare recommends using Low as an initial setting.
Automatic IPv6: The options are:
- Full IPv6 Gateway: Enables IPv6 on all subdomains that are CloudFlare-enabled (marked by an orange cloud in your DNS settings)
- Safe IPv6 Gateway: Will only create an IPv6-specific subdomain for your site (www.ipv6.example.com).
SmartErrors: SmartErrors is a CloudFlare feature that prevents 404 errors from being presented when a site visitor requests a page that is not found. Instead, CloudFlare performs a site search based on keywords and contextual information from the referring link, then presents the visitor with a list of best-matching pages from the site. Options:
- On (partial): This enables SmartErrors only for
HTML 404 page not founderrors that are not customized. If you have a customized 404 error page, SmartError will not intercept it in partial mode.
- On (full): This enables SmartErrors for all
HTML 404 page not founderror pages, including any custom error pages.
- Off: This disables SmartErrors.
- On (partial): This enables SmartErrors only for
On the Confirm SSL page, select your SSL configuration preference:
- Automatic SSL Configuration: Use this option if you want CloudFlare to automatically issue an SSL certificate for your website.
- Custom SSL Configuration: Use this option to upload your own SSL private key and certificate files.
Manual SSL Configuration: Use this option if you want to manually insert a unique meta tag provided by CloudFlare in the head section of the HTML for your website.
The Update your DNS page lists your current name servers, and the CloudFlare name servers with which to replace them.
Use the provided URLs to update the name server settings for your domain with the authoritative server for your domain, i.e., your ISP.
Click I’ve updated my nameservers, continue.
On the Websites page, click the gear icon for the website you want to configure with the SSL Termination service and select CloudFlare settings.
On the Settings overview tab, scroll down the page to SSL. Select your SSL option:
- Off: This disables SSL.
- Flexible: This enables SSL between visitors and CloudFlare, but does not enable SSL between CloudFlare and Cloud Foundry. Visitor see HTTPS enabled on your website, but you do not need an SSL certificate on Cloud Foundry.
- Full SSL: This enables SSL between visitors and CloudFlare, and between CloudFlare and Cloud Foundry. This setting requires an SSL certificate on Cloud Foundry.
Full SSL (Strict): This option is not available when using Cloud Foundry. The Full SSL (Strict) option requires the SSL certificate to respond for the request domain name, but the SSL certificate returned by Cloud Foundry will be for the cfapps.io domain instead.
To restrict an application to work only over SSL:
On the Websites page, click the gear icon for the application you want to configure and select Page Rules.
Create a new rule by adding a URL pattern, for example
hellocf.mycustomdomain.com. Select Always use https.
Note that because DNS settings are cached in various points throughout the Internet, including on your browser, changes to these SSL settings may take some time to propagate through the system and start functioning as you would expect.
After your initial domain setup is complete, you may want to review CloudFlare configuration options. To do so:
Click the Websites link at the top of any CloudFlare.com page.
Click the gear icon in the row for your domain and select CloudFlare settings. The CloudFlare settings page has several tabs that describe CloudFlare configuration options. In particular, see the Security and Performance tabs to understand more about the options you configured, and alternative settings.