You are reading a single comment by @Velocio and its replies. Click here to read the full conversation.
  • So, @Velocio Cloudflare dish out free certs? Think I might get 'em for my blog sites.
    How do they handle validation/revalidation if I'm on cheapass shared linux hosting? I don't think I can use Let's Encrypt in this case. Presumably I use you as a DNS and you shuffle my traffic to my host, doing some SSL shenanigans in the process? How do you make money out of it?
    Is this some kind of loss leader to get me to upgrade plans later on?

  • Universal SSL is the product.

    Yes we give free certs. You cannot download those certs, we manage them for you and terminate the SSL traffic, rotate the certs, renew them, etc. It means we are a reverse proxy.

    We then connect to your server, and yup... DNS is the key. When you enable Cloudflare for an A, AAAA or CNAME we will publish our IPs to the world, terminate the SSL, and then use the real IPs internally to reach you.

    There are three modes for that last bit where Cloudflare talks to your server:

    • Strict - You must have an SSL cert matching the host name on your origin
    • Full - You can have any SSL cert on your origin, we only encrypt and we do not verify
    • Flexible - We'll send the last bit over HTTP so we've publicly used HTTPS but privately go to you view HTTP

    Flexible isn't great security, but sometimes with CNAMEs it's the best you can do (no control over the CNAME sites' ability to use TLS).

    This is all free, and we still make money from it, it's not going away and isn't a loss leader... it's just a by-product of lowering the cost of doing something to fractions of a cent through automation and some clever tech.

  • We do most of our work stuff in a similar way within AWS using what you call 'Flexible'. Autoscaling IIS boxes accepting http traffic from various Cloudfronts (so close to Cloudflare it gets confusing), hosts CNAMEd to the Cloudfronts.

    With my personal shit it's all on cheap shit hosting and I care not for its maintenance or even security for that matter, I just don't want the "Not Secure" shit popping up in Chrome so the quickest, easiest solution for me is what I want.

    Might give it a whirl. You sure your servers can cope with the extra workload? Gotta be at least a hit a day from something that isn't a crawler...

About

Avatar for Velocio @Velocio started