CloudFlare and SSL keep your site and data safe with SSL Elenitsa Staykova Marketing, CloudFlare Peter Griffin Solutions Engineer, CloudFlare
Dec 05, 2014
CloudFlare and SSLkeep your site and data safe with SSL
Elenitsa StaykovaMarketing, CloudFlare
Peter GriffinSolutions Engineer, CloudFlare
Agenda● Introduction● CloudFlare overview● SSL options with CloudFlare
○ Upload of custom certificate○ GlobalSign provisioning options
● SSL configuration demo● Conclusion / Q&A
CloudFlare Overview
CloudFlare Security and Performance for web applications, from 28 global locations (and growing!)
CloudFlare Overview
● Global: 28 locations, and growing
● Anycast Routing: BGP routes to CloudFlare IP ranges are announced from each location, traffic is handled regionally
● Robust: Each node performs all tasks: DNS requests, security checks, performance transformations, and caching
● Reliable: Built-in redundancy, load balancing, and high availability.
● Intelligence: over 1 million sites using CloudFlare, unparalleled view into “Layer 7” / HTTP-based attacks
● Capacity: CloudFlare has mitigated the largest disclosed DDoS attacks to-date
How CloudFlare protection works
● Protected hostname resolves to CloudFlare IPs via DNS
● Back-end IP address hidden, locked-down to allow only CloudFlare IPs
● HTTP/S requests, UDP attack traffic goes first to CloudFlare
● CloudFlare only proxies valid, acceptable HTTP requests. Everything else is dropped
SSL on the web
What is SSL / HTTPS? (briefly)
1. HTTP over encrypted SSL/TLS session2. Uses public key cryptography3. Verifies identity (of websites)4. Encrypts communications
Google looking at HTTPS for ranking
“...over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
CloudFlare provides high quality HTTPS
CloudFlare’s SSL Options
Upload your own key pair● CloudFlare can present your existing SSL cert to your users
● Keys are never stored on-disc, only decrypted on demand
● Uploaded via web interface
Have CloudFlare provide a GlobalSign SSL cert● Valid for *.example.com, and the root (example.com)
● *.*.example.com (subdomain of subdomain) NOT supported
● Ownership of your domain must be verified by GlobalSign before they will provision the certificate.
SSL Provisioning Options
GlobalSign domain verification
GlobalSign needs to know you own the domain!
Verify via HTML <meta/> tag● HTML <meta/> tag provided by CloudFlare must be placed within
the <head/> section of the landing page at either your root, or your www.
● GlobalSign will check that verification code is valid, and add *.example.com and example.com on the SSL certificate
Verify via proxying● Cert provisioned once CloudFlare-proxying is observed on either
the root domain, or the www. subdomain
● 10 to 15 minutes of SSL browser warnings until the presented cert is updated
SSL Operating Options
Changes to your web application
CloudFlare “Always Use HTTPS” Page Rule● Automatically redirects requests for all subdomains AND the
root to the corresponding HTTPS URL
Switching to HTTPS:// URLs!
Switching to HTTPS:// URLs!
Stop using HTTP:// in your HTML!● Search engines will follow the links it finds -- you don’t want the
search engine crawlers dealing with redirects for every page they read on your site!
● Relative URLs are good!
Switching to HTTPS:// URLs!
Google’s webmaster guidelines
● Google has good resources and HOWTOs, and making sure that the Google Bot can crawl+index your HTTPS site: http://www.google.com/webmasters/
Recommended viewing!
● “Google I/O 2014: HTTPS Everywhere” -- goes into much more https://www.youtube.com/watch?v=cBhZ6S0PFCY
Thank you!