There's not too much to this blog post... I had to setup SSL certificates for two or three sites recently and encountered some troubles when working with CloudFlare and I thought it might be helpful to write up what I learned and what worked...
These tips assume that:
- You're already familiar with how DNN handles and manages SSL settings
- Your'e already running CloudFlare for the domain's DNS and it's active
The Problem: Enforcing full-site SSL rules within DNN, and setting Admin > Site Settings SSL Enabled AND SSL Enforced will not work when used with CloudFlare unless you go by the correct settings.
Depending on the settings combined, you can encounter issues where you have a dead site with redirect loops, or errors, and it's partially based on the combination of CloudFlare settings and server settings within IIS.
If you go through the steps of turning on an SSL setting in CloudFlare and then in DNN setting a portal's SSL Settings to Enabled AND Enforced, then you can experience these redirect loops. To find out more about them from CloudFlare, the following support article was helpful
These parts from the article sounded like the issue encountered:
- If you do not have a SSL certificate on your origin server, or simply can't use port 443 for web traffic, then you will need to use the Flexible setting in your Cloudflare dashboard. Selecting either the Full or Strict setting without a SSL certificate at your server will result in a 525/526 error
- Selecting Flexible when your origin has a redirect from http to https leads to a redirect loop. In this case, assuming there is an SSL certificate at the origin, you should use Full or Full(strict).
So, what's going on with these? Let's look more closely at CloudFlare's SSL settings
Within Cloudflare there are different settings for SSL action
You can learn more about them here (https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-)
The Solutions: These settings combine together with DNN's SSL settings for you to have three different use-case scenarios:
Option One - Optional SSL
IF you want to allow SSL within DNN but do not need to enforce (Enabled but not Enforced), then the Flexible setting will work correctly for you and will allow CloudFlare's intermediate SSL certificate to function.
Option Two - Full (strict) SSL with a Third-Party Issued Certificate
IF you create a proper standard SSL certificate from a Certificate Issuing Authority, then you will set it up in standard fashion within IIS and then in DNN turn on Enabled AND ENFORCED and wtihin Cloudflare set it to Full(strict)
Option Three - Quick Self-Signed Certificate YET Secure from CloudFlare
However, if you want to do a more quick/simple step, often for validation that is for Google SEO / marketing use rather than eCommerce/security, then you can do the following
- Create a Self-Signed Certificate within IIS following these simple steps (https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx)
- In the website bindings within IIS, be sure to set the port/ssl cert for at least the www version of the domain
- In DNN turn on SSL Enabled and Enforced
- In the database (or manually) set all Tabs for this portal to IsSecure = True
- In DNN clear cache / restart app pool
- In CloudFlare set the SSL settings to Full
At this point, once the site restarts, you will have enforced SSL state for all pages where you have set IsSecure and an SSL Certificate from CloudFlare will show to the browser.