CloudFlare与SSL

安全性永远是网站的第一要素。根据最新的Google Chrome作法,所有没有SSL的网站都被标记为unsafe。那么网站当然是有SSL最好咯。

问题

部署完SSL之后,发现网站出现 redirected you too many times.。看完真的是一头雾水,为啥会出现这种问题。明明没有不断redirect呀。然后换了一个域名发现是可以正常访问的。

解决方案

问题出在CloudFlare CDN上面,因为CloudFlare是个proxy。所以要在CloudFlare里找Crypto,里面的SSL设置改为 Full(strict)

问题分析

官方给出的几个选项内容为:

  • Off: No visitors will be able to view your site over HTTPS; they will be redirected to HTTP. 基本就是全部走HTTP,不启用 HTTPS
  • Flexible SSL: You cannot configure HTTPS support on your origin, even with a certificate that is not valid for your site. Visitors will be able to access your site over HTTPS, but connections to your origin will be made over HTTP. Note: You may encounter a redirect loop with some origin configurations. 系统自动搭配HTTPS,但可能会出现 redirect loop的问题。
  • Full SSL: Your origin supports HTTPS, but the certificate installed does not match your domain or is self-signed. Cloudflare will connect to your origin over HTTPS, but will not validate the certificate. 服务器支持HTTPS,但不会验证HTTPS的合法性,直接链接HTTPS
  • Full SSL (strict): Your origin has a valid certificate (not expired and signed by a trusted CA or Cloudflare Origin CA) installed. Cloudflare will connect over HTTPS and verify the cert on each request. 服务器有合法的证书,CloudFlare会验证证书的合法性。

根据我的情况,加上了 Letsencrypt 使用 Full SSL (strict)最好。