I pay quite a bit to host all of my websites, ranging from jamiebalfour.co.uk (the original), to jamiebalfour.me (an addon domain), jamiebalfour.scot (my personal website, now with HTTPS), clickit.education and finally, zenlang.net.
Since version 1.5 will rename the syntax of ZPE, zenlang will no longer be the valid name. On top of this, the website has received much less attention from myself and has been left a bit of a mess. As a result, zenlang.net will no longer remain online from next year when it goes up for renewal. I will leave it as a subdomain (which is always available too at http://zenlang.jamiebalfour.scot.) for the future and will probably work on it for a while before I relaunch it with the new name.
CloudFlare is a content delivery network (CDN) that makes delivery of your website much faster and much more secure. It's great and it definetly took a lot of the demand away from my shared server. On top of that, it meant that when the server my website is hosted on went down it was there to step in a display static content from the cached version of my website that it had.
I've enjoyed CloudFlare for the last two or three years and found it to be the most valuable tool used with my website. But now I've been contemplating it's use. For four or five months I've been trying to get SSL (TLS nowadays) to work on my website and to display that HTTPS padlock on the client's browser when they visit my website. I bought a certificate for £13 in February but due to unforeseen circumstances I did not manage to get round to installing it until about April or May. When it was installed it did not work so I went straight to my web host's customer service team to get them to investigate. After four or five times getting in touch and being told it was installed several times, I though that there must be something wrong with this. At first I assumed the dedicated IP was the problem. Then realised something else.
A little explanation of how CloudFlare works
How CloudFlare works
CloudFlare acts like the man in the middle, protecting your website and sending information to the people who are expecting it. It's a great idea and it works well. But one of the key concepts of SSL is this:
You are connecting to the website that holds the certificate and that you are not connecting to some other website instead.
In other words when you initiate a connection to jamiebalfour.scot, you are expecting jamiebalfour.scot. Not jamiebalfour.cloudflare.com or something. The man in the middle could be perceived by the browser as being a man in the middle attack but really it is just CloudFlare's CDN trying to send the data. So what happens next? The browser in turn says the SSL certificate is invalid or the website that is trying to be reached is not the one that is coming in to the browser (in this case it will be CloudFlare's website that is coming in). This in turn means that the browser dismisses the website claiming it to be fraudulent.
The result
You simply cannot have a HTTPS website and CloudFlare unless you pay for a custom certificate from them. This causes problems with my website which is now using HTTPS. I have decided to leave out CloudFlare, at least for the next few months and I will be trying to rectify this problem from time to time in the hope that I can fix it so from time to time you may get SSL errors. I will say that my website performs reasonably well under general use without CloudFlare's assistance, but it does add a lot of security improvements as well as taking a considerable chunk of the stress from my origin server, but for the next few months my website will continue without it.
