https site (or site secured by ssl certificate)?

[unecomx1]

Hi All!

I'm new to x10hosting.com and just set up a Moodle 2.6 site. x10hosting.com seems like a great way to get started with web hosting, but is it possible to use my newly created site with an ssl certificate so I can serve up https://mysite.x10hosting.com/moodle/ ? I know I can get free ssl certificates using Let's Encrypt's certbot software, but how do I configure an https site within x10hosting.com?

Thanks!

 

[bdistler]

how do I configure an https site within x10hosting.com?

short answer - you can not do that

The current setup for x10hosting's free-hosting servers will not work with SSL or SNI
In the meantime, you can make use of Cloudflare to act as a proxy front-end to your site, and enable SSL through them (so your users would connect to the Cloudflare servers via SSL, and in the backend Cloudflare would pass on that request to us using normal HTTP)

 

[unecomx1]

Thanks for your quick reply, bdistler: both the short answer and the longer answer.

I'm bummed about the short answer, but not terribly surprised.

I'm intrigued by the longer answer (Cloudflare as a proxy front-end to my site). Could you explain? Or perhaps share a link to a site where I could read more about this option? I had no idea it was possible. Interesting from a security perspective too: so it is apparently possible that a user can believe they are connecting strictly over a secure connection (they see https://www.securesite.com in their browser address field) when in fact, a part of the connection may be unsecure. Interesting...

 

[bdistler]

Or perhaps share a link to a site where I could read more about this

here is a link for how to set up CloudFlare on your x10hhosting's free-hosting account --> [ https://x10hosting.com/support/guides/enable-cloudflare?from_search=12904179 ]

 

[caftpx10]

...when in fact, a part of the connection may be unsecure.

Unfortunately, this would be true for something like flexible. The connection would be secure all the way to CF but it would not be encrypted between CF and the server the site is hosted on. So if some MITM attack happens in CF's network then that could be problematic but that is very unlikely to happen. (You would need to be on the same network as CF to capture the requests or something so, if it does not have MITM protection of some kind. At least that would be one way of pulling it off.)

Yes, it is going to be a bit of a fib and yes the free plan offers a cert that does not work with older browsers but it does most certainly work, especially for this configuration.

 

[ajstetson17]

Personally, I strongly dislike Cloudflare's SSL solution, especially flexible SSL. When a visitor visits a website and sees a green lock and an "https" prefix, they assume that their traffic is encrypted all the way to that site. Using flexible SSL is a breach of user trust, as the traffic between Cloudflare and the host is not encrypted.
Now, some people argue that encrypting part of the traffic is better than encrypting none of it. However, I think that the benefits of encrypting the first part of the traffic are outweighed by the drawback of giving a false sense of security to the user. Flexible SSL is just an illusion of security that is presented to your visitors.

Now that I have given my little rant, let me step back and give some advice. If your site is just for development and testing and you need to test its usage over https, than go ahead and use Cloudflare's Flexible SSL. However, if you have a production site that is collecting user data or using logins, I would highly recommend using a different host (possible upgrading to x10premium) in order to use SSL/TLS properly.

 

[bdistler]

Using flexible SSL is a breach of user trust, as the traffic between Cloudflare and the host is not encrypted.

not true...for x10hosting's free-hosting users that use [ cPanel-x3 ] to setup CloudFlare for their account

x10hosting is a [ Optimized Hosting Partner ] with CloudFlare
Optimized Partners offer all the benefits of a CloudFlare Certified Partner, plus [ Railgun ]
see --> [ https://www.cloudflare.com/hosting-partners/ ] - use the [ Filter partners by name: ] to locate x10hosting on the list

[ Railgun ] - is the encrypted & compressed connection between each Cloudflare data center around the world and x10Hosting
NOTE: the words "encrypted & compressed" - it is the HTTP connection to x10hosting that [ Railgun ] accelerates and secures
here is a link to what CloudFlare says about it --> [ https://www.cloudflare.com/railgun ]

 

[caftpx10]

Using flexible SSL is a breach of user trust, as the traffic between Cloudflare and the host is not encrypted.

Yes, this is indeed true for the generic user level plans (free, pro).
Cloudflare did not lie about how the connection would be handled. In fact, they made it clear to those with sufficient technical knowledge via their control panel, help pages and blogs. So that is somewhat good.
Though what is disappointing is the fact that they have not outlined the con's of using flexible. The only con about the free cert options they had outlined is the system and browser compatibility when there is a lot more issues that are present under the hood that are not so obvious to the end users.
The only way you are going to get your own certificate used on CF is if you pay $200 or more. It is ridiculous.
EDIT: As pointed out in a post, Railgun may resolve the primary concern but this seems to start from the business plan also. So if that is not an option..

I had honestly used "Universal" SSL in the past. LetsEncrypt is a thing now so that would allow you to ditch CF right away if the server the site is hosted on supports SSL/TLS (user config), if you do not mind skipping the protection and caching, or/and if you do not want to pay for a certificate.
At the moment, I just use CF for DNS and redirects (for a domain I am migrating away from) only and it proves to be effective on that part. For my VPS, I use LE's certbot and crontab for obtaining certificates and for renewing them (automated) alongside Nginx and that proves to work very nicely. Got some near-perfect results in SSLLabs too (A+).

But yes, I strongly agree about using a server that allows you to use custom certificates when in production and handling user credentials and that flexible should be used for testing. Definitely upgrade when possible.

 

[ajstetson17]

[ Railgun ] - is the encrypted & compressed connection between each Cloudflare data center around the world and x10Hosting
NOTE: the words "encrypted & compressed"

Although this alleviates my concerns a little, I still am against Cloudflare's SSL system. Even with using the Full SSL option, Cloudflare is still decrypting you traffic and then re-encrypting it. They are basically a legal man-in-the-middle. Now because they are very focused on security, there probably isn't that much to worry about but it's still something to consider.

Yes, this is indeed true for the generic user level plans (free, pro).
Cloudflare did not lie about how the connection would be handled. In fact, they made it clear to those with sufficient technical knowledge via their control panel, help pages and blogs. So that is somewhat good.
Though what is disappointing is the fact that they have not outlined the con's of using flexible. The only con about the free cert options they had outlined is the system and browser compatibility when there is a lot more issues that are present under the hood that are not so obvious to the end users.
The only way you are going to get your own certificate used on CF is if you pay $200 or more. It is ridiculous.
EDIT: As pointed out in a post, Railgun may resolve the primary concern but this seems to start from the business plan also. So if that is not an option..

But yes, I strongly agree about using a server that allows you to use custom certificates when in production and handling user credentials and that flexible should be used for testing. Definitely upgrade when possible.

Couldn't agree with you more.

At the moment, I just use CF for DNS and redirects (for a domain I am migrating away from) only and it proves to be effective on that part. For my VPS, I use LE's certbot and crontab for obtaining certificates and for renewing them (automated) alongside Nginx and that proves to work very nicely. Got some near-perfect results in SSLLabs too (A+).

This literally sounds exactly like my setup.


Just wanted to add that anyone considering using Cloudflare's SSL should really read this article before deciding: https://scotthel.me/cfup

 

[bdistler]

Just wanted to add that anyone considering using Cloudflare's SSL should really read this article before deciding:...

your link is from 21 Feb 2014 and has no reference to or about Cloudflare's [ Railgun ]

BTW as for - idea of having a man in the middle of the secure transport layer - NSA and others have no trouble (i.e. can do it with ease} reading and decoding - SSL or SNI encoding ( or encryptation ) off of the "Internet"

IMO - this thread is about a x10hosting's free-hosting account that has a main domain which is a sub-domain of a x10hosting's domain - and is looking for infomation about using SSL and SNI - and NOT about a VPS account or a server in a data center or a dedicated server - you should start your own thread

 

[SierraAR]

As a side note, if StartCom LTD's process is anything to go by, you cannot create and authenticate SSL certificates off of a subdomain alone. The certificate would have to be generated through a certificate signing request assigned to the main domain (x10host.com/x10hosting.com/x10.mx/etc). You would then have to either A: Have a wildcard based (*.x10host.com) SSL Certificate (Which is considered less 'secure' depending on who you ask), or B: have a new SSL certificate requested through the certificate authority for each subdomain that is getting SSL.

Combine that with the fact that in most cases an SSL certificate is /not/ free, and you come across a rather clear issue with providing SSL/HTTPS through a free hosting service.

Based on the above, one could argue that a parked domain owned by yourself can be used for the above process; I don't believe that will work either based on previous posts in this thread. I'm going to admit here that I, personally, don't fully know how setting up individual SSL certificates on a service with this many separate websites works out; I've only handled that level of setup/configuration on a personal VPS that hosts a single website with a couple subdomains.

Hopefully that helps explain some things.

 

[ajstetson17]

Alright so this is going to be my last post in this thread as I feel it is getting a bit derailed. I already gave my advice to the OP: use flexible SSL for testing and, if possible, get a real SSL Cert for production.

As for you @bdistler, it is apparent that we have differing opinions on this issue and that is perfectly fine. I have my opinions and you have yours and we can move on with our own lives and build our websites how we wish.
Trying to make this thread more useful for the OP, I feel there is a lot of information in this thread presented from two sides (in terms of Cloudflare SSL) so the OP can decide for themself what they want to do with their own website.

your link is from 21 Feb 2014 and has no reference to or about Cloudflare's [ Railgun ]

I never said it had to do with Railgun. I simply was pointing out an informative article on the issue. Also, although it is old, many of the points still are applicable today.

BTW as for - idea of having a man in the middle of the secure transport layer - NSA and others have no trouble (i.e. can do it with ease} reading and decoding - SSL or SNI encoding ( or encryptation ) off of the "Internet"

Don't know what you are pointing out here or why you are mentioning the NSA unless it is in reference to the pictures in the articles. If that's the case, you should know those pictures are from Cloudflare themself, not the writer. But yes: the NSA can probably can break encryption on the internet.

this thread is about a x10hosting's free-hosting account that has a main domain which is a sub-domain of a x10hosting's domain - and is looking for infomation about using SSL and SNI - and NOT about a VPS account or a server

Fair point. I did go off on a little tangent.