How to Setup Cloudflare SSL and Always Use HTTPS?

Cloudflare is one of the largest CDN and security service providers for web properties. Setting up SSL/TLS is the first thing you should ensure after adding your site in Cloudflare. Since browsers will show “Not Secured” message without HTTPS, you also need to enable “Always Use HTTPS” option in Cloudflare account. In this article, I will show you how to enable SSL and force HTTPS in Cloudflare.

Install SSL On Your Site

Before going to Cloudflare, make sure you have installed valid SSL certificate on your site. Most of the hosting companies offer free SSL from Let’s Encrypt and automatically renews it. If your site is showing a padlock symbol before your URL in the browser’s address bar, then you are already using SSL on your site. If you are setting up a new site, then first make sure to install a SSL certificate before adding your site in Cloudflare. Here are the general steps:

• Login to your hosting account.
• Find Let’s Encrypt SSL option possibly under Security section.
• Select your domain name and install the certificate.
• Check your domain is opening with secured HTTPS protocol in browser.

Below is how it will look in SiteGround hosting account.

Contact your hosting company if you want to install a premium SSL from trusted certification authority or from Cloudflare CA.

Adding Your Site in Cloudflare

In this article, I am not explaining the detailed process of adding your site. Check out the article on how to add your WordPress site in Cloudflare and below is the summary. You can follow the steps for websites using any content management platform as long as they are accessible online.

• Create a new Cloudflare account or login to your existing account and click “Add a Site” button.

• Enter your domain name, select your plan and scan the DNS records.
• Change the DNS servers to point your domain to Cloudflare.
• Wait for sometime for the DNS propagation to complete and click “Check nameservers” button.
• If the DNS changes are reflected, you will see a success message. Otherwise, wait few hours and then try again.

Setup SSL in Cloudflare

Follow the below steps after adding your site.

• Select your site from Cloudflare dashboard section.
• Go to “SSL/TLS > Overview” section from the left sidebar.
• You will see multiple options in right side pane and select “Full” option.
• Your selection will be automatically saved.

SSL/TLS encryption needs two secure connections – one is from browser to Cloudflare and the next is from Cloudflare to your hosting server as shown in the above picture. Selecting “Full” is the best option with free SSL certificate installed on your hosting server. Here is a bit more about all the available options and when you can use them:

• Off (not secure) – As mentioned, selecting “off (not secure)” will not use SSL and browsers will show your site as “Not Secured” in the address bar.
• Flexible – This option is helpful if you are not able to configure HTTPS on your hosting server. In this case, the traffic from browser to Cloudflare will use HTTPS and any traffic to origin server will use HTTP.
• Full – Selecting “Full” is the best option with free SSL certificate installed on your hosting server. Here, Cloudflare will use HTTPS for connecting to your server using the self-signed SSL issued from Let’s Encrypt without any verification.
• Full (Strict) – This offers maximum security over end-to-end encryption as Cloudflare will verify the certificate installed on your hosting server. Choose this option only when you have a trusted certificate installed on your server.

Checking SSL Certificate Status

After enabling “Full” option, your site will NOT immediately use SSL. Follow the below steps to check the SSL status in Cloudflare:

• Go to “SSL/TLS > Edge Certificates” section in your Cloudflare account.
• Check the “Status” column is showing as “Active”. You can click on the status to view more details about the issued certificate.
• If the status shows “Authorizing Certificate”, then you need to wait till it becomes “Active”.
• Cloudflare needs up to 24 hours to authorize SSL certificate for free users. If you are using Pro or other premium plan, it will just take 15 minutes for the authorization.

Force HTTPS in Cloudflare

Once SSL is authorized, the next step is to force the connection to use HTTPS.

• Go to “SSL/TLS > Edge Certificates” section.
• Scroll down and find “Always Use HTTPS” option.
• Turn on the switch to force HTTPS for all your traffic.

This will setup 301 redirects for all HTTP requests to use HTTPS connection. For example, if a user tries to open http://yoursite.com/page1.html, Cloudflare will automatically redirect the page to https://yoursite.com/page1.html. You should also make sure to force HTTPS on your hosting server, so that the end-to-end encryption always use secured HTTPS connection.