The number of services today that allow you to quickly get online is
Tumblr, WordPress, Blogger, AppEngine, Posterous, Ning,
TypePad, Smugmug, and more allow anyone to publish content online.
Unfortunately, most don't support SSL. This means that, if you access
one of these platforms from a shared network connection, like a coffee
shop or airport wifi, someone can use a tool like Firesheep to sniff
your session cookie information and gain access to your account even
without your password.
While the risk of this for most people isn't very high, our customer
support team has been getting more and more inquiries about whether
CloudFlare can add SSL encryption to these third party platforms.
on our team wanted to find out how easy it was so he used his own Tumblr
blog (justinpaine.com) to find out.
Setup a Custom Domain
The first step for any of these platforms is to setup a custom domain.
Tumblr, for example, defaults sites to using a subdomain of tumblr.com.
While we're working with platforms to allow you to add CloudFlare
support when you're on a subdomain account, until the platforms
explicitly allow it you'll need to setup your own domain. You can find
instructions on how to do so for each of the platforms mentioned already
through the following links:
Once you have a custom domain for your site, you then need to add the site to CloudFlare. If you don't already have a CloudFlare account, you can create one. After you create a new account, or login to your existing account, you can walk through the quick process of adding your site. The process takes four steps and about five minutes to complete.
To get SSL on your site, you'll need to select one of the paid
CloudFlare plans. All paid plans come
with SSL support automatically. SSL is now included on all Plans. You don't need to buy or configure a SSL
certificate seperately, we take care of that process for you
automatically. As soon as you've finished configuring CloudFlare, we
automatically add the SSL certificate and activate it for your account.
CloudFlare automatically detects that your platform provider doesn't support SSL and defaults you to the Flexible SSL setup. This means that connections from a browser to CloudFlare will be encrypted via HTTPS, but connections from CloudFlare to the platform will pass over unencrypted HTTP.
While it is ideal to have an end-to-end HTTPS connection, securing the connection from the browser to CloudFlare mitigates 99% of the real risk. A way to think about it is if you're worried about the government monitoring your web traffic, Flexible SSL won't offer a complete solution. On the other hand, if you're worried about someone next to you in the coffee shop sniffing your cookie or password information, CloudFlare's Flexible SSL will protect you.
If your platform provider ever begins to support SSL themselves, you can switch CloudFlare to Full SSL mode at any point from the CloudFlare Settings page and have end-to-end encryption. If you think about it, Flexible SSL is a lot like CloudFlare's IPv6/IPv4 Gateway. In that case, we were translating between IPv6 and IPv4 networks seamlessly. In this case, we're translating between the HTTPS and HTTP protocols, also seamlessly.
That's all there is to it. Once the DNS propogates, you'll be able to connect to your site securely just by entering HTTPS rather than HTTP. You can also use PageRules to force all connections to HTTPS if you'd like to default to an encrypted connection.
One last note: we had previously supported another method for SSL on Google's AppEngine. That method, which relied on domain masking, proved brittle and unreliable so it was depricated for now. This new method using Flexible SSL is 100% reliable and has the advantage of supporting a number of platforms beyond Google's AppEngine. We'll be bringing back domain masking enabled via PageRules in the future since it does have some beneficial uses.