A couple of years ago I decided to switch my domain registrar. I’d been using this particular registrar for many years and had been unhappy with them pretty much from day one, I would have switched away sooner but it’s hassle and they made a charge for the privilege. I decided to move to Google Domains because they were cheap enough and people generally seemed to like the service. Well wouldn’t you believe it, within six months of me switching Google announced they were shutting down Google Domains and selling the business to Square Space. I have nothing against Square Space but I didn’t pick them as my domain registrar, I picked Google. Square Space are considerably more expensive than Google although not enough to make me instantly move away (I’m a little concerned the renewal dates changed toom but I can’t be sure of that). Anyway, long story short I’m moving to Cloudflare.
Cloudflare has some advantages: they are cheap and they are unlikely to sell their domain business. When I originally switched to Google Domains I very nearly went with Cloudflare but I didn’t because I didn’t understand their offering, it looked very much like an up-selling scam (at the time). Now that I better understand what they are offering I can see why people are using them.
Switching a domain over is fairly painless. You first register the domain with Cloudflare (which causes Cloudflare to take over the DNS records), and then you can transfer the domain registration to them. Unfortunately the process wasn’t completely painless. By default Cloudflare will proxy any A and simple CNAME records for your domain which caused a couple of hiccups.
Switching on the CDN Causes a Redirect Loop
I configured my site with the Cloudflare proxy switched off, I didn’t want anything getting in the way. When I came to switch the Cloudflare proxy on I got a redirection loop. I was about to give up, I’d had enough of configuring the server at that point. Thankfully, I almost immediately realised what was happening. The Cloudflare CDN acts as a proxy for your site, that means that it needs to communicate with your site and by default it sets itself up in flexible mode which basically means it’ll use HTTP rather than HTTPS. The problem is I’d set up my Nginx reverse proxy to redirect from HTTP to HTTPS for the WordPress sites. What this meant was when I visited https://www.example.com Cloudflare tried to load http://www.example.com. It then received back a redirect to https://www.example.com which it sent to the browser. The browser than requested https://www.example.com again and so the cycle continues.
The solution is to open the domain in Cloudflare and navigate to the SSL/TLS settings. In the overview are there’s a section called SSL/TLS encryption. The default setting is “flexible”. Press the configure button and choose “Custom SSL/TLS” and select the “”Full (Strict)” option. The description for this option seems to say yoiu have to use Cloudflare certificates but that’s not the case, Let’s Encrypt certificates work just fine.
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
After transferring a domain to Cloudflare I got this error message in the browser (Firefox) when trying to access it:
Secure Connection Failed
An error occurred during a connection to www.pickardsmith.com. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Frustratingly this error message seemed to clear up on it’s own after but it seems I’m far from the only person to experience it. Some pages on the issue 1, 2.
How to Tell if Cloudflare is Working?
In Firefox (or Chrome) load a site using Cloudflare (cloudflare.com is used in this example) and press F12 to open developer tools. Select the Network tool and reload the page if necessary (you might also need to turn off the browser cache). Select an item from the site (images are a good choice) and then examine it’s headers. You should see something like this:
The cf-cache-status header tells you that this content was delivered from the Cloudflare cache. The cf-ray header, I think, is the identifier used to find the cached item. The last header of note is server (towards the end of the list) which indicates this resource came from a cloudflare server.
Cloudflare Doesn’t Proxy SSH
This came as a bit of surprise to me but apparently Cloudflare doesn’t proxy SSH connections. This leaves me in a bit of a pickle because SSH is how I manage servers. The symptoms of the failure are when I try to ssh in (ssh example.com) I get a connection timeout. There are two possible workarounds. The first is to ssh to the IP address directly, the second is to add an A record to the DNS specifically for SSH. Neither solution is great, the second solution exposes the server to the internet more though as it advertises the IP of the server.
Wait, what? When you have a server sitting behind a Cloudflare CDN it’s at least partially hidden from the world. The server itself is still on the public internet but it’s not immediately obvious what IP address it’s using. The DNS records will return the IP of a Cloudflare CDN server which proxies all the requests. Someone scanning though all IPv4 addresses will find your server but just looking it up in the DNS records won’t work. The downside of this setup is you can only access services by domain name if the proxy allows them through and by default Cloudflare doesn’t proxy SSH. This makes a lot of sense, SSH is a common attack vector so proxying it would be a bad idea from a security point of view.
There is another solution which I really like, add a DNS record to the local server which resolves the remote server. Since my own internal DNS server is the one all the machines on my network are using I’ll resolve there rather than on the Cloudflare servers thus bypassing the CDN. This avoids the need for a special non-proxied A record specifically for SSH.