cloudflare SSL in Full(strict) mode still non-ssl connections - ssl

Stack:
Cloudflare
SSL in Full(Strict) mode
Always Use SSL is ON
Heroku
Automatic Certificate Management (ACM)
All this seems to work well, except that on the Cloudflare SSL Overview tab, under Traffic Served Over TLS 30% is labeled None (not secure) I would expect this section to have started to approach zero.
The settings above have been in effect for well over 24 hours.
So, where's all this non-ssl traffic coming from? Is that just traffic coming in over HTTP that Cloudflare is redirecting to SSL before it gets anywhere else? Or is it something else?

Yes, it's very likely that traffic is coming in over HTTP that Cloudflare is redirecting to SSL. When someone first requests the HTTP version of the site that will be handled over HTTP (not HTTPS), which will then redirect to the HTTPS version.

Related

SSL - Cloudflare, avast or my code?

I have 2 websites on 2 servers, I use the SSL cloudflare
For the first everything is ok, green padlock.
For the second, I have a grey padlock with a warning on it https://lightpics.net
Google Chrome can see the site’s certificate, but the site uses a weak security setup (SHA-1 signatures), so your connection might not be private.
Proceed with caution. These are common mistakes in websites' configurations, but that doesn't guarantee that your connection is secure.
When I disable the HTTPS verify in Avast, it become green.
Someone know why ? I have the same configuration on the both... so, it's my server, my code, avast or cloudflare ?
The problem only came from avast : it MITM your connection and sign it again with an sha1 certificate.
To be sure, check your server with ssllabs.com
Just one more thing : https is not enough to be secure, you should redirect http to https with a 301 (permanent) redirect and use HSTS.

Connection Partially Encrypted in Firefox :SSL

I have uploaded my SSL certificates to IAM purchased from Comodo and evrything looks fine in chrome and opera. But mozilla is giving an error: "Connection Partially encrypted". I am not able gauge why this is happening.
Link : https://www.advisorcircuit.com/
Please tell me what is the possible culprit for this?
and also i want to know , how can i redirect my users to HTTPS ebven if they type http as even if i type http the website loads and opens.
I am using AWS t2.medium instance. So is there any configuration i need to do in my console??
Redirection:
You have a few options:
Block HTTP traffic, only allow HTTPS on the Security Group level ( Not the nicest solution.
Use an Elastic Load balancer, Listening only on HTTPS port. ( Same as above)
The webserver ( most of them like Tomcat, IIS, etc) supports a redirection, so it sends back "HTTP/1.1 301 Moved Permanently", then the client browser does the call again on HTTPS.
If you use Elastic Load Balancer with SSL termination ( which is a good practice, less load on your server, easier setup of the SSL Certificate). Then all your traffic inside your VPC goes on port 80. In this case you need to setup your webserver to redirect differently. Instead of the incoming port, the trigger for the redirection should be the based on the "X-Forwarded-Proto" header value, which is the original protocol what the client is using.
For production environment the last setup is an AWS Best practice. ( Of course there are also other solutions)
Your site is running Apache/2.2.29. You can redirect your virtual host traffic from 80->443 in Apache itself. That way if someone goes to http://www.yourdomain.com then get redirected to https://www.yourdomain.com
ServerFault has an post explaining how to use Apache mod_rewrite to accomplish this
https://serverfault.com/a/554183/280448
Also you need to adjust the SSL cipher suites that your site accepts. Your ELB has an option to change cipher suites and you can deselect some there. The two you definitely want deselected are RC4 and SSL3.
Here's the full report if you want to make more changes
https://www.ssllabs.com/ssltest/analyze.html?d=www.advisorcircuit.com&s=52.7.154.196&latest

How do I make apache SNI hosts without certificates redirect to http address?

I have an apache server with multiple named hosts all working fine for port 80 http traffic.
(A VPS with one unique IP address)
I have one domain that has a SSL certificate and that domain is configured to handle both http and https traffic.
However if someone accidentally adds https to the beginning of a none SSL configured URL I get a typical certificate warning error (expected) and then if the user accepts the error (depending on the browser) it displays the SSL site I have configured instead of the original non-ssl domain.
I've read up a bit about SNI, but I don't have certificates for each of the other domains and would rather the server either not respond to the SSL request on anything else but one specific domain or redirect to the http version of the site.
Suggestions please as to how I approach this.
Kind regards, Spencer
For security reasons, what you're trying to achieve cannot work.
The browser (which implements the mechanisms to check the certificate) cannot know whether the user typed https:// instead of http:// accidentally or intentionally. Since it's ultimately up to the users to check that https:// is used when they think it's required, browsers should simply perform the actions requested by the users.
A redirection from https:// to http:// should always start with a valid https:// connection. SNI won't help you much there if you can't have valid certificates for the initial connection.
Otherwise, it would be fair for browsers to assume there may be a MITM attack in progress. Typing in https:// explicitly (or using HSTS) is the only reliably mechanism against MITM tools like SSLstrip, which would otherwise be capable of downgrading (or preventing an upgrade from http:// to https://).

If I get an ssl certificate - can I still access my web pages using http?

If I get an ssl certificate - can I still access my web pages using http (instead of https) so they'll load faster?
Or perhaps have the ssl for only certain pages on my site? (I'm using web hosting, perhaps it matters.)
Yes. When you're setting up the certificate, you can configure your server to listen on port 443 (for SSL, where it will serve your certificate) as well as port 80 (where normal HTTP traffic will go). For pages where you absolutely want to have SSL, you'll need to force the user to visit the https:// URL.

Cloudflare over https without port 443 on server

i got a problem with my hosting provider (Mittwald) and Cloudflare.
Over Cloudflare i wanna use the flexible SSL
Cloudflare says:
Flexible SSL: There is an encrypted connection between your website visitors and CloudFlare, but not from CloudFlare to your server.
So if i understand it right, thats exactly what i want!
The User accesses the website over https://example.com but cloudflare is communication with my site over http://example.com so that the not opened port (443) from my provider is not needed?
unfortunately that doesn't work till now... i allways get an error like
err_connection_refused
Any help or hint would be great!
thanks in advance!
That would indicate your site hasn't yet propagated to go through CloudFlare's DNS and is pointing to your local site (where the port is closed and the connection is refused). If SSL is disabled on CloudFlare you would get a protocol error instead.
Therefore the best option would be, if you've waited for the DNS to propagate, to contact CloudFlare support.