WirelessPhreak.com

travel, science, technology, and all other geeky things
Follow Me

Since Google's announcement that SSL affects your page ranking encrypting your blog has become even more important. This post goes through the steps for securing your google blog using SSL and CloudFlare, These steps can be applied to other sites and services, but I use Google's Blogger platform because its easy,  That being said the Blogger platform does limit your ability to perform lower level modification like securing your site using SSL and I will go over a few issues I ran into.

After playing around with CloudFlare for a couple weeks it's obvious their primary focus is caching and DDOS prevention, but they offer much more. CloudFlare's free offering is very robust and gives you a lot to experiment with. I used it to front my entire blog since my requirements were very minimal.

So what you need to get started:
  • Your own domain
  • Set up your blogger page to use the custom domain. They have really good directions that walk you through the process.
  • Create a free CloudFlare account.
  • Import your DNS
  • Login into your DNS hosting company and change the DNS servers to the servers CloudFlare has identified
  • Then wait up to 24hr mine was pretty instantaneous since the TTLs were set pretty low.
  • Your site is now on CloudFlare  
Now for the fun tweaks: 

  Felixiable SSL was on by default.  This is the setting you will need for your Blogger or Wordpress sites since those services do not allow you to implement your own SSL. Basically CloudFlare sets up SSL offload using a SAN certificate that includes your domain. Once CloudFlare decrypts the traffic it is sent to your site non encrypted.  This is an awesome service but it did cause me some issues, and at least with blogger it will pose some ongoing issues.

  • The first issue I experienced was intermittent interruption with the CloudFlare SSL service. I opened a ticket with them and they identified the template I was using was calling insecure pages.  There systems identified this and would temporarily disable Flexible SSL.  They pointed out the offending files and I was able to modify the template I was using to fix the issue.  The CloudFlare tech also pointed me to a useful article outlining how to enable SSL for a Wordpress site, here is the article https://support.cloudflare.com/hc/requests/558717
  •  The second issue is related to the first but was not actually causing any service interruptions. As you have probably seen the lock for my site is not green or has an "!" next to it.  This is because the images that where originally used in my blog were absolute http links.  This forces the browser who knows it has a secure connection to my website, to display non secure content, images that are not hosted on Google and are not SSL. This causes the mixed content error in the browser. I will be working on cleaning this up moving forward. 

Page Rules 
was one of the more exciting and powerful surprises offered by CloudFlare. They allow 3 page rules with your free account.  I work with load balancers everyday and this single page of rules really ads flexibility that companies pay a lot of money for. So for my SSL rule I wanted my page to always be redirected to SSL so I created one page rule "http://*.wirelessphreak.com/* HTTPS always redirect" that forces all traffic to my site over SSL. It worked great and was super easy to set up.

The last pleasant surprise was the analytics. I have google analytics and it has become the defacto standard on the internet.  But what CloudFlare bring in addition to google analytics is their breakdown of not only unique visitors but the ratio of cached content and served content. It also does a nice job of showing you what percentage of your traffic served was encrypted and not encrypted.

All and All it seems to be a cool service. I and I look forward to playing with it some more.