Using a CDN is a great way to optimize your website and protect against DDoS attacks. The process of setting up a CDN is pretty simple, often changing the nameservers on your registrar is as tricky as it gets. But there can be some potential issues. Here is a short guide on how to fix some potential issues when using CDN. The example I’m using is Cloudflare but some of these issues will be the same for other similar CDNs. Some of these issues arise from changing your nameservers to a CDN, others involve Cloudflare’s Flexible SSL. All of these issues are fixable, but it is good to be aware of the issues up front.
Note: The Flexible SSL should not be used for sensitive data. For credit card transactions and personal info “Full SSL” should be used, i.e. there is an SSL certificate on the web server itself. See this guide to adding SSL encryption.
1) Server configuration.
If your server is misconfigured using Cloudflare’s name servers and Flexible SSL can cause problems. Obviously, if you are redirecting visitors to HTTP on the server, then you ask Cloudflare to always redirect people to HTTPS there will be problems. Solution – make sure your server is correctly configured.
2) Cloudflare’s IPs and Visitor IPs.
You may need to whitelist Cloudflare’s IP addresses in .htaccess files…
Allow from 220.127.116.11/20
Allow from 18.104.22.168/22
Allow from 22.214.171.124/22
Allow from 126.96.36.199/22
Allow from 188.8.131.52/18
Allow from 184.108.40.206/18
Allow from 220.127.116.11/20
Allow from 18.104.22.168/20
Allow from 22.214.171.124/22
Allow from 126.96.36.199/17
Allow from 188.8.131.52/15
Allow from 184.108.40.206/12
Allow from 220.127.116.11/13
Allow from 2400:cb00::/32
Allow from 2405:8100::/32
Allow from 2405:b500::/32
Allow from 2606:4700::/32
Allow from 2803:f800::/32
Allow from 2c0f:f248::/32
Allow from 2a06:98c0::/29
Cloudflare acts like a proxy, all traffic to the server appears to be coming from Cloudflare itself. If you wish to know the IP of all visitors to your website you can install mod_cloudflare to your server. There are slightly different instructions here.
3) WordPress and Cloudflare Flexible SSL.
Full SSL or Strict SSL should not need any plugin for WordPress to work normally. Simple free plugins fix the errors with the Flexible SSL and WordPress. Just search the WordPress Plugin Repository for “Cloudflare” and use the plugin that you feel will work the best.
4) PHPMyAdmin and Flexible SSL.
The potential problem is that even after you’ve specified “ForceSSL” and “Absolute URI” in the PHPMyAdmin config, PHPmyadmin can sometimes append “:80” to your domain name when you are redirected after logging in. In some versions of PHPMyAdmin (e.g., 4.1.xx), you end up at a URL which looks like https://www.website.com:80/phpmyadmin/. Using the Flexible SSL you are using port 80 on the server, but the connection between Cloudflare and the user is using port 443. This means that the addition of the “:80” causes an error and does not display PHPMyAdmin until you remove it.
The problem can be fixed in the file phpmyadmin/libraries/Config.class.php. There is a part which checks that port and whether the URL is HTTP or HTTPS.
A solution is from here, you find the following code and fix this by commenting out the last OR condition:
if (! empty($url['port'])
&& (($url['scheme'] == 'http' && $url['port'] != 80)
|| ($url['scheme'] == 'https' && $url['port'] != 80)
//|| ($url['scheme'] == 'https' && $url['port'] != 443)
$pma_absolute_uri .= ':' . $url['port'];
It would be better to use Full SSL for PHPMyAdmin but this is a solution to the problem if you have to use Flexible SSL.
5) Full/Strict SSL or Flexible SSL.
When you first add Cloudflare to your website it will fetch the settings and it will decide whether to use Full SSL if the website has it’s own SSL certificate or Flexible SSL if it does not. If you want to change from Flexible to Full or vice versa after setup, make sure that the website is using the correct setting (Full or Flexible) in the “Crypto” tab.