Cloudflare Settings

[mlex]

I'm trying the cloudflare and getting some issues with it, some I just don't understand at all. Would be nice if someone could give a hand with this.

 

Firstly, I want to say that when I configured my domain, there was an option to partly(or something like this) transfer traffic via cloudflare or completely(using the cloudflare dns)... So, I choose the second way - that's the better way, right?

 

Ok, so DNS section... I got this window:

 

 

Now, as you see, this says I should activate the cloudflare for this, including the cpanel... I find this a little bit unsecured, rather then otherwise. Am I wrong? If so, Why?

 

Also, I have troubles with forcing the HTTPS by default. At cloudflare I enabled the "Automatic HTTPS Rewrites", but yet this seems not to be working... Can anyone tell why? I used page rules to force it, but I don't like this and besides, I really wanna know why this isn't working. Oh, just saying, I'm using the "Flexible" way.

 

 

Forgot to add:

 

As far as I got it, cloudflare should force redirect for its own error pages with free plan(I use this one), but when I actually try to go for non existing page, I'm hitting with heliohost's 404 error page(means my own 404 page, Not Found page). So, basically, this not working as intended... or, is it?

Ok, I think I was wrong about the last one(about error pages). It's only target some specific errors, like 500 or 1000 etc. As far as I can tell

[Krydos]

The easiest way to set up cloudflare is to use the cloudflare plugin we have in your cpanel https://tommy.heliohost.org:2083/frontend/paper_lantern/cloudflare/index.live.php

 

As far as whether you should use cloudflare for each and every cname, that's up to, and what your purpose for using cloudflare is. If you're just trying to speed up your site a bit then all of those cnames don't really matter. If you expect your site to get targetted by DDoS attacks, then first of all maybe you should host your site somewhere else so your account doesn't cause downtime for the rest of our users, but yeah you should probably run ALL of your subdomains and cnames and everything through cloudflare so your attackers can't find the originating server, but if you don't expect all of that to happen then it's probably overkill.

 

Regarding the forced https I would just use .htaccess myself. I'm not familiar with cloudflare forced ssl settings, but rewrite rules are pretty straight forward. Just put this in your .htaccess file

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

[mlex]

The plugin's options at Helio are very limited, but I indeed start cloudflare using the plugin setup process at first. I'm not expecting something abnormal with my site(ddos attacks etc), but I'm really curious about how to run and use it, besides, this does may prevent some attacks, reduce server load/traffic etc, so why not.

 

So, you're saying it is actually safe to run(activate), say cpanel with cloudflare? Because cloudflare is no-matter-what a third party vendor, so I'm not really sure if they may intercept the pass, login or anything else or not. Not saying they will, but yet.

 

As for the HTTPS, I'm aware of how to make this with .htaccess, but don't really think it's a good idea, because this will additionally use server's resources, instead it should be possible to use cloudflare for that, but seems like I'm having some troubles - the only way I found to force using HTTPS via cloudflare is using Page Rules. But they're limited for only 3 rules... That would be fine if I would use one-three domain names, but I want more

 

UPDATE 1: BTW: there's no HelioHost at this link: https://www.cloudflare.com/partners/view-partners/

May I ask why?

 

UPDATE 2: I also found out, that when I enabled the "Development mode" to on at CloudFlare website, this didn't changed at Helio cpanel... It is still disabled(off). Is that actually normal?

UPDATE 3: Seems like the synchronization issue was caused by cloudflare's dashboard. Now it's fine

UPDATE 4: Found answer to one of my questions here:

What subdomains are appropriate for orange / gray clouds?

https://support.cloudflare.com/hc/en-us/articles/200169626-What-subdomains-are-appropriate-for-orange-gray-clouds-

[Krydos]

Well, like I said before I'm not too familiar with cloudflare and it's multitude of options. If anyone knows more about it they might chime in. Otherwise you can figure it out and let us all know how it works so people who search these forums in the future will be able to find the information without going through the whole process as you currently are. I'm always leery of free services like this because they have a tendency to get a ton of users over a year or two while taking big monetary losses and then switch to paid services once they have everyone hooked on their service suckering people into paying them to get what was once free. I've seen it dozens of times. Pingdom was one that annoyed me the most recently because our uptime images were based on pingdom API, and we lost years of uptime reports when they switched to pay scheme.

 

UPDATE 1: BTW: there's no HelioHost at this link: https://www.cloudflare.com/partners/view-partners/

May I ask why?

I wasn't aware of any partner program, mainly because none of our users have told us about it prior to you just now. I signed up for it now though so we'll see what they have to say.

[wolstech]

UPDATE 4: Found answer to one of my questions here:

What subdomains are appropriate for orange / gray clouds?

https://support.cloudflare.com/hc/en-us/articles/200169626-What-subdomains-are-appropriate-for-orange-gray-clouds-

Most of those records aren't used for web content (e.g. ftp, webdisk, and cpcalendar) and might break if you tried to put them through cloudflare. FTP clients for instance need the address of the FTP server, not a cache, or it would break.

 

If I touched any of them, I'd turn on the ones for that first A record (already on for you), www (already on for you), cpanel and webmail.

[Krydos]

 

UPDATE 1: BTW: there's no HelioHost at this link: https://www.cloudflare.com/partners/view-partners/

May I ask why?

I wasn't aware of any partner program, mainly because none of our users have told us about it prior to you just now. I signed up for it now though so we'll see what they have to say.

 

Ah, here's why we aren't listed:

How do I get my logo listed on CloudFlare Partners?

We publish partner logos once there are 100+ websites on CloudFlare.

[mlex]

Krydos, that's why I'm sharing here with updates So it would be less painful for anyone who's searching for this.

 

Ah, here's why we aren't listed:

Quote

How do I get my logo listed on CloudFlare Partners?
We publish partner logos once there are 100+ websites on CloudFlare.

 

 

 

You should somehow promote this, because this will actually reduce your server usage resources, and you could consume much more users/clients

 

 

wolstech, yes, exactly. That's why I was confused with it until I found the link above (https://support.cloudflare.com/hc/en-us/articles/200169626-What-subdomains-are-appropriate-for-orange-gray-clouds-)

 

 

 

So, continue with answering my own question(s):

Using "Automatic HTTPS Rewrites" isn't actually for forcing https(SSL).

So instead, in order to actually force the https(SSL) for the entire domain, avoiding using the .htaccess on your own, it's done with Page Rules at CloudFlare's Dashboard, by accessing the Page Rules and writing something like that:

http://*domain.com/*

While the only thing there's need to be changed is the

domain.com

fo example, using the subdomain:

http://*example.heliohost.org/*

And then choose from the options for "Always use HTTPS".

[Krydos]

Thanks for the updates. In order to use "Always use HTTPS" do you have to have an SSL certificate installed on Heliohost's servers or can the connection between Heliohost to Cloudflare be http, and then the connection from Cloudflare to the visitor viewing the site uses https?

[mlex]

CloudFlare let you choose 1 of 4 options, you can read about it here: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

 

But basically, you don't have to install on your own server SSL certificate to use CloudFlare's SSL, but certainly you should enable SSL(you can use it without being installed on your server) before applying Page Rules to force SSL

[Krydos]

Cool, thanks for the information.

[bdistler]

Thanks for the updates. In order to use "Always use HTTPS" do you have to have an SSL certificate installed on Heliohost's servers or can the connection between Heliohost to Cloudflare be http, and then the connection from Cloudflare to the visitor viewing the site uses https?

some info about that...

 

if the host is a CloudFlare Optimized Partners - it has all the benefits of a CloudFlare Certified Partner, plus [ Railgun ]

see --> [ https://www.cloudflare.com/hosting-partners/ ]

 

[ Railgun ] - is the encrypted & compressed connection between each Cloudflare data center around the world and the host

NOTE: the words "encrypted & compressed" - it is the HTTP connection to the host that [ Railgun ] accelerates and secures

here is a link to what CloudFlare says about it --> [ https://www.cloudflare.com/railgun ]

[Krydos]

Yeah, I've read about the railgun thing. Seems like a lot of work and a lot of stuff needs to be installed on the server for not that much improvement.

[wolstech]

If I'm reading it correctly, it also requires users have a paid Business or Enterprise plan unless we can qualify as an "optimized" hosting partner (not sure if/how that's different from the partner program we already participate in).

 

It's not really worth it anyway in my experience: I manage a website for someone that runs on a hosting company that has Railgun capability...I didn't notice any meaningful difference with it on or off, other than file uploads going corrupt and cache going stale more often with it on. Could be a hosting company issue though...that host leaves a lot to be desired, so much so that I recently discussed migrating to Tommy with them...