Recently I came up against an issue when switching a website over from Media Temple (mt) to Digital Ocean (di) and breaking the current SSL setup. I am using CloudFlare for my DNS (which I can highly recommend) and their free SSL in order to serve the website over HTTPS. The website worked fine with the (mt) - CloudFlare combo, but not with the new (di) setup. After a lot of Googling and server restarting I finally found that the free SSL is not compatible with (di) when the SSL option is set to 'full'. When switching the SSl setting to 'flexible' the website came back up and everything is now working smoothly.
But why does tis make a difference? Here is the official word from the CloudFlare website:
Flexible SSL encrypts traffic from CloudFlare to end users of your website, but not from CloudFlare to your origin server. This is the easiest way to enable HTTPS because it doesn’t require installing an SSL certificate on your origin. While not as secure as the other options, Flexible SSL does protect your visitors from a large class of threats including public WiFi snooping and ad injection over HTTP.
Full SSL mode provides encryption from end users to CloudFlare and from CloudFlare to your origin server. This requires an SSL certificate on your origin server. In Full SSL mode, you have three options for certificates to install on your server: one issued by a Certificate Authority (Strict), one issued by CloudFlare (Origin CA), or a self signed certificate. It is recommended that you use a certificate obtained through CloudFlare Origin CA.
So this means to get the best SSL encryption I will need a certificate on my Digital Ocean server, the following CloudFlare article explains this How do I add SSL to my site
Why would I recommend CloudFlare for DNS? Not only for the security aspect of your website but the DNS propagation was fast, I could makes changes to the DNS records and those changes were applied instantly.
Subscribe to Invisibleloop
Get the latest posts delivered right to your inbox