Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
233 lines (175 sloc) 10.4 KB
title: Setting Up SSL-Enabled Custom Domains Using CloudFlare
owner: London Services
<strong><%= modified_date %></strong>
**Note**: SSL (HTTPS) will not work with custom domains without the use of
third-party SSL termination.
Pivotal recommends using CloudFlare for this service.
This topic explains setting up an SSL-enabled custom domain using CloudFlare, a
content distribution network.
This is the Pivotal-recommended strategy for using SSL with a custom domain.
Using this configuration, traffic to and from your application running on Cloud
Foundry will be routed via CloudFlare.
Browser &lt; &mdash; ssl &mdash; &gt; CloudFlare proxy &lt; &mdash; ssl &mdash; &gt; Cloud Foundry
To enable this, you configure CloudFlare's "Full SSL" option for the domain.
You can use a CloudFlare-generated SSL certificate between the browser and the
CloudFlare server, or, if you prefer, configure CloudFlare to use a certificate
you provide.
A Cloud Foundry-generated SSL certificate is used between the CloudFlare proxy
and the application on Cloud Foundry.
These instructions assume that your domain is already registered with a DNS
To complete this procedure, you must be able to access the DNS registrar for the
Note that you do not need to change DNS registrars.
The only change you make with your registrar is to point the authoritative name
servers to CloudFlare's name servers.
Before starting, download the zone file for the domain from your DNS provider to
use in [Step 3 - Configure DNS Records](#configure-dns).
## <a id='introduction'></a>Introduction ##
CloudFlare is a caching and security-as-a-service that protects and accelerates
on-line websites.
Web traffic is routed through CloudFlare's global network -- this accelerates
delivery of static and dynamic content, while blocking threats and limiting
abusive bots and crawlers from wasting your bandwidth and server resources.
CloudFlare's SSL termination proxy decrypts incoming SSL traffic and can pass on
unencrypted or fully encrypted requests to the app server.
Adding your website requires only a simple change to your domain's DNS settings.
SSL Termination is available with any of the CloudFlare plans, including the
Free plan. The Free and Pro plans always use a CloudFlare-generated certificate.
Business and Enterprise plans add the option to use your own SSL certificate.
## <a id='sign-up'></a>Step 1 - Get CloudFlare Account ##
1. Go to [](,
select the desired account, and click **Sign up now**.
<%= image_tag("../../images/cloudflare/sign-up.png") %>
1. On the **Create an Account** page, enter your email address, username, and password. Read and check **I agree to CloudFlare's Terms of use**. Click **Create account now**.
<%= image_tag("../../images/cloudflare/create-account.png") %>
## <a id='add-domain'></a>Step 2 - Add Domain to CloudFlare ##
1. On the **Select a website** page, enter the name of your custom domain and
click **Add website**.
CloudFlare will query authoritative DNS servers for the DNS record registered
for the domain.
<%= image_tag("../../images/cloudflare/add-website.png") %>
1. When CloudFlare finishes querying the DNS servers, a **Scan complete**
message appears.
Click **Continue**.
<%= image_tag("../../images/cloudflare/scan-complete.png") %>
## <a id='configure-dns'></a>Step 3 - Configure DNS Records ##
The **Configure your records** page lists the records obtained from the
authoritative DNS servers for your domain.
In the row containing your domain name, the cloud icon in the **Active** column
should be orange.
To ensure your DNS records are correct and complete, Pivotal recommends you
download the zone file for the domain from your DNS provider, and then upload it
to CloudFlare using the **Upload a zone file** link.
Use the **Add** button to define additional records, if necessary.
When finished, click **I've added all missing records, continue**.
<%= image_tag("../../images/cloudflare/configure-dns.png") %>
## <a id='choose-settings'></a>Step 4 - Choose Initial Settings ##
1. On the **Choose initial settings** page, set the following options:
* **Choose a plan**: Select **Free**, **Pro**, or **Business**.
If you choose **Free** or **Pro**, CloudFlare will generate an SSL
certificate for communications between browsers and the CloudFlare proxy.
If you prefer to provide your own SSL certificate, choose **Business**.
* **Performance**: This configures a profile that sets the values of
multiple performance-related options.
You can choose any of the available options, and easily change it later.
After completing this configuration process, follow the instructions in
[Reviewing CloudFlare Configuration Options](#review) to understand the
performance and security options, and tailor your configuration as desired.
* **CDN only (safest)**: This is the default.
* **CDN + Basic Optimizations**
* **CDN + Full Optimizations**
* **Security**: This setting controls which visitors are shown a CAPTCHA
challenge page.
The options are:
* **High**: Requires a CAPTCHA for any visitors witnessed engaging in
malicious behavior on other websites, and challenges visitors based on
known malware browser signatures
* **Medium**: Requires a CAPTCHA for any visitors witnessed frequently
engaging in malicious behavior on other websites, and challenges
visitors based on known malware browser signatures
* **Low**: Requires a CAPTCHA for any visitors witnessed very frequently
engaging in malicious behavior on other websites
* **Essentially off**: Only challenges visitors recently involved in
significant denial of service (DoS) or hacking attacks
CloudFlare recommends using **Low** as an initial setting.
* **Automatic IPv6**: The options are:
* **Full IPv6 Gateway**: Enables IPv6 on all subdomains that are
CloudFlare-enabled (marked by an orange cloud in your DNS settings)
* **Safe IPv6 Gateway**: Will only create an IPv6-specific subdomain for
your site (
* **SmartErrors**: SmartErrors is a CloudFlare feature that prevents 404
errors from being presented when a site visitor requests a page that is not
Instead, CloudFlare performs a site search based on keywords and contextual
information from the referring link, then presents the visitor with a list
of best-matching pages from the site.
* **On (partial)**: This enables SmartErrors only for `HTML 404 page not found` errors that are not customized.
If you have a customized 404 error page, SmartError will not intercept
it in partial mode.
* **On (full)**: This enables SmartErrors for all `HTML 404 page not found`
error pages, including any custom error pages.
* **Off**: This disables SmartErrors.
1. Click **Continue**.
<%= image_tag("../../images/cloudflare/initial-settings.png") %>
## <a id='confirm-ssl'></a>Step 5 - Confirm SSL ##
On the **Confirm SSL** page, select your SSL configuration preference:
* **Automatic SSL Configuration**: Use this option if you want CloudFlare to
automatically issue an SSL certificate for your website.
* **Custom SSL Configuration**: Use this option to upload your own SSL private
key and certificate files.
* **Manual SSL Configuration**: Use this option if you want to manually insert a
unique meta tag provided by CloudFlare in the head section of the HTML for your
<%= image_tag("../../images/cloudflare/confirm-ssl.png") %>
## <a id='update-names'></a>Step 6 - Update Name Servers ##
The **Update your DNS** page lists your current name servers, and the CloudFlare
name servers with which to replace them.
1. Use the provided URLs to update the name server settings for your domain with
the authoritative server for your domain, i.e., your ISP.
1. Click **I've updated my nameservers, continue**.
<%= image_tag("../../images/cloudflare/update-name.png") %>
## <a id='select-ssl'></a>Step 7 - Select SSL Option ##
1. On the **Websites page**, click the gear icon for the website you want to
configure with the SSL Termination service and select **CloudFlare settings**.
<%= image_tag("../../images/cloudflare/gear.png") %>
1. On the **Settings overview** tab, scroll down the page to **SSL**.
Select your SSL option:
* **Off**: This disables SSL.
* **Flexible**: This enables SSL between visitors and CloudFlare, but does not
enable SSL between CloudFlare and Cloud Foundry.
Visitor see HTTPS enabled on your website, but you do not need an SSL
certificate on Cloud Foundry.
* **Full SSL**: This enables SSL between visitors and CloudFlare, and between
CloudFlare and Cloud Foundry.
This setting requires an SSL certificate on Cloud Foundry.
* **Full SSL (Strict)**: This option is not available when using Cloud Foundry.
The Full SSL (Strict) option requires the SSL certificate to respond for the
request domain name, but the SSL certificate returned by Cloud Foundry will be
for the domain instead.
<%= image_tag("../../images/cloudflare/choose-ssl.png") %>
## <a id='restrict'></a>Step 8 - Restrict Application to SSL Only ##
To restrict an application to work only over SSL:
1. On the **Websites** page, click the gear icon for the application you want to configure and select **Page Rules**.
<%= image_tag("../../images/cloudflare/page-rules.png") %>
1. Create a new rule by adding a URL pattern, for example
Select **Always use https**.
<%= image_tag("../../images/cloudflare/page-rules.png") %>
Note that because DNS settings are cached in various points throughout the
Internet, including on your browser, changes to these SSL settings may take some
time to propagate through the system and start functioning as you would expect.
## <a id='review'></a>Step 9 - Review CloudFlare Configuration Options ##
After your initial domain setup is complete, you may want to review CloudFlare
configuration options.
To do so:
1. Click the **Websites** link at the top of any page.
1. Click the gear icon in the row for your domain and select **CloudFlare settings**.
The **CloudFlare settings** page has several tabs that describe CloudFlare
configuration options.
In particular, see the **Security** and **Performance** tabs to understand more
about the options you configured, and alternative settings.
<%= image_tag("../../images/cloudflare/my-websites.png") %>