The Cloudflare content delivery network (CDN) service works well when you need a faster website and your web hosting plan doesn’t include an SSL certificate. In this case, you’d likely be using Flexible SSL mode. This means only traffic between your viewers and Cloudflare is encrypted, not between Cloudflare and your origin web server. This can cause some problems:
- Mixed content errors preventing images from loading with HTTPS (test with tools like WhyNoPadlock.com)
- Redirect loop errors preventing the entire page from loading in your browser
- Your website may use a wildcard SSL shared with phishing sites using Cloudflare for valid SSLs (test with tools like Nmap and SSL Shopper SSL Checker)
- Since traffic between Cloudflare and your server isn’t encrypted, it’s vulnerable to man-in-the-middle (MITM) cyber attacks such as SSL stripping and HTTP downgrade attacks
All InMotion cPanel-managed plans include the free AutoSSL for those who don’t need a paid SSL, usually recommended for e-commerce sites. This way you can still provide end-to-end encryption for your visitors and mitigate the aforementioned errors and cyber attacks, regardless of whether you’re using a CDN or web application firewall (WAF) such as Sucuri. With Cloudflare, this is achieved with the Full (Strict)mode. Below we’ll cover:
Learn more about how to secure cPanel accounts with our Managed Reseller VPS hosting.
Check Your Website Without Cloudflare
You may see this as an indirect how-to for potential cyber attackers. It’s understandable. However, sometimes it’s important to understand how easy some attacks are to fully realize why you should work to mitigate it. Furthermore, the information below is discussed for other benign situations, such as testing a website before updating nameservers or transferring a domain to another registrar.
You may already know you can enable Development mode in Cloudflare to temporarily bypass the CDN’s caching functions.
But anyone can edit their computer hosts file, adding a row with a domain and specific server IP, to force DNS queries to another server regardless of authoritative DNS records.
If the yourwebsite.com A record is 22.214.171.124, but I want to rebuild the website on my server, I can simply add this to my computer hosts file to redirect all requests from my computer to my server instead.
126.96.36.199 yourwebsite.com www.yourwebsite.com
Basically, in many cases, it’s easy to find and connect to a website’s origin IP address, bypassing a CDN or WAF.
This is the basic concept behind many DNS cache poisoning attacks on workstations, network routers, and rogue Wi-Fi access points (WAPs).
If your domain is pointed to Cloudflare name servers, you can edit the hosts file to see check if your website redirects to HTTPS without enabling Cloudflare Development mode — which affects all users.
How to Use AutoSSL with Cloudflare
To improve website security with Cloudflare, and better protect your visitors, use AutoSSL, not just Cloudflare’s SSL.
- Install AutoSSL on your Shared, Reseller, or VPS/Dedicated server
- 301 redirect all website traffic to HTTPS using the .htaccess file or plugins such as Really Simple SSL for WordPress
- Log into Cloudflare
- At the top, select SSL/TLS
- Select Full (Strict) to encrypt traffic between your server and Cloudflare
- At the top, select Caching
- Select Purge everything to clear your Cloudflare cache
- Clear your browser cache or open a private browsing session
- Open your website and it should be using HTTPS
- Select the SSL icon in your browser to view detailed information and you should see Verified by: Cloudflare
Consider enabling HTTP Strict Transport Security (HSTS) as well to further protect against downgrade attacks.
If you’re interested in learning more about how to secure cPanel, check out our article on VPS hardening.
To learn more about how to secure your website, check out our guides on security HTTP headers.