SSL/TLS 設定
CloudflareのSSL/TLS が正しく機能していることを確認したら、SSL/TLSの設定をカスタマイズしたくなるでしょう。
Your zone’s SSL/TLS Encryption Mode controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server.
flowchart LR
accTitle: SSL/TLS Encryption mode
A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)]
暗号化モードを選択する最も簡単な方法は、SSL/TLS Recommenderを有効にすることです。これにより、あなたのドメインがスキャンされ、適切な設定が推奨されます。
To make sure you do not inadvertently block the SSL/TLS Recommender, review your settings to make sure your domain:
- Is accessible.
- Is not blocking requests from our bot (which uses a user agent of
Cloudflare-SSLDetector). - Does not have any active, SSL-specific Page Rules or Configuration rules.
次に、ダッシュボードでSSL/TLSの推奨を有効にできます:
- Cloudflareダッシュボード ↗にログインし、アカウントとアプリケーションを選択します。
- SSL/TLSに移動します。
- SSL/TLS Recommenderのトグルをオンに切り替えます。
Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent Cloudflare-SSLDetector and ignores your robots.txt file (except for rules explicitly targeting the user agent).
Based on this initial scan, the Recommender may decide that you could use a stronger SSL encryption mode. It will never recommend a weaker option than what is currently configured.
If so, it will send the application owner an email with the recommended option and add a Recommended by Cloudflare tag to that option on the SSL/TLS page. You are not required to use this recommendation.
If you do not receive an email, keep your current SSL encryption mode.
可能であれば、Cloudflareは悪意のある接続からオリジンを保護するために、FullまたはFull (strict)モードの使用を推奨します。
これらのモードは通常、追加の設定が必要であり、技術的により難しい場合があります。
Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.
Using various Cloudflare settings, however, you can force all or most visitor connections to use HTTPS.
After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings:
- Edge certificates: Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
- Authenticated origin pull: Ensure all requests to your origin server originate from the Cloudflare network.
- Notifications: Set up alerts related to certificate validation status, issuance, deployment, renewal, and expiration.