启用 SSL 的 Cloudflare 代理如何连接到非 SSL 端点?
How does an SSL-enabled Cloudflare proxy connect to a non-SSL endpoint?
这里是 Cloudflare 新用户。
我有一个 A 记录,但我没有在我指向的服务器上安装任何证书。我知道您可以通过 CF 进行代理,并且 CF 在代理端点上设置了免费的 SSL。
我的问题是:CF 如何安全地连接到我的端点?还是我理解有误?
我的理解:
我 --[启用 SSL]--> CF 代理 --[没有 SSL?]--> 我的服务器
how does CF connect to my endpoint securely?
由于您不提供与端点的安全连接,Cloudflare 无法使用与端点的安全连接。也就是说,只有浏览器和 Cloudflare 之间的连接是安全的,而不是从 Cloudflare 到您的服务器的最终连接。
另请参阅Flexible SSL option您所说的明确指出的问题的描述:
Flexible SSL: A Secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. ... This option is not recommended if you have any sensitive information on your website. ...It should only be used as a last resort if you are not able to setup SSL on your own web server. ...
简短的回答是 CloudFlare 不会 通过他们的免费 SSL 证书安全地连接到您的端点。
CloudFlare 提供三种类型的 SSL 设置,默认设置为“flexible”:
Flexible: They'll serve content over HTTPS from their infrastructure, but the connection between them and the origin is unencrypted
Full: Still HTTPS from CloudFlare to the browser but they'll also talk HTTPS to the origin although they won't validate the certificate
Full (strict): CloudFlare issues the certificate and they'll intercept your traffic, but then it's all HTTPS to the origin and the cert is validated as well
虽然来自 CloudFlare 的灵活、免费的 SSL 证书会向您的访问者显示一个安全的 HTTPS 挂锁,但此 method of SSL 仅存在于 CloudFlare 和 ISP 之间,不 CloudFlare 和您的服务器之间。灵活的证书在 50 个不同的域之间共享(向您的访问者显示每个域),但确实可以防止常见的攻击,例如 WiFi 窥探。
灵活:
已满:
完整 证书也加密 CloudFlare 和源站之间的流量,但 CloudFlare 不验证证书。 strict 证书解决了这个问题。
如果不确定您的 SSL 质量,我建议您查看 Qualys' SSL Labs test。
有关此问题的更多信息,请参阅 Troy Hunt's article。
这里是 Cloudflare 新用户。
我有一个 A 记录,但我没有在我指向的服务器上安装任何证书。我知道您可以通过 CF 进行代理,并且 CF 在代理端点上设置了免费的 SSL。
我的问题是:CF 如何安全地连接到我的端点?还是我理解有误?
我的理解:
我 --[启用 SSL]--> CF 代理 --[没有 SSL?]--> 我的服务器
how does CF connect to my endpoint securely?
由于您不提供与端点的安全连接,Cloudflare 无法使用与端点的安全连接。也就是说,只有浏览器和 Cloudflare 之间的连接是安全的,而不是从 Cloudflare 到您的服务器的最终连接。
另请参阅Flexible SSL option您所说的明确指出的问题的描述:
Flexible SSL: A Secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. ... This option is not recommended if you have any sensitive information on your website. ...It should only be used as a last resort if you are not able to setup SSL on your own web server. ...
简短的回答是 CloudFlare 不会 通过他们的免费 SSL 证书安全地连接到您的端点。
CloudFlare 提供三种类型的 SSL 设置,默认设置为“flexible”:
Flexible: They'll serve content over HTTPS from their infrastructure, but the connection between them and the origin is unencrypted
Full: Still HTTPS from CloudFlare to the browser but they'll also talk HTTPS to the origin although they won't validate the certificate
Full (strict): CloudFlare issues the certificate and they'll intercept your traffic, but then it's all HTTPS to the origin and the cert is validated as well
虽然来自 CloudFlare 的灵活、免费的 SSL 证书会向您的访问者显示一个安全的 HTTPS 挂锁,但此 method of SSL 仅存在于 CloudFlare 和 ISP 之间,不 CloudFlare 和您的服务器之间。灵活的证书在 50 个不同的域之间共享(向您的访问者显示每个域),但确实可以防止常见的攻击,例如 WiFi 窥探。
灵活:
已满:
完整 证书也加密 CloudFlare 和源站之间的流量,但 CloudFlare 不验证证书。 strict 证书解决了这个问题。
如果不确定您的 SSL 质量,我建议您查看 Qualys' SSL Labs test。
有关此问题的更多信息,请参阅 Troy Hunt's article。