Confirm Traffic between CloudFlare and origin server is encrypted

1
votes

I'm looking for a method to confirm traffic between an origin server and the CloudFlare CDN is encrypted with HTTPS.

I have a Let's Encrypt SSL cert installed on the origin server and at the CloudFlare CDN, I have CloudFlare's universal free generated SSL cert installed.

With caching activated, the browser sees the CloudFlare SSL cert. With caching deactivated, the browser sees the Let's Encrypt SSL cert. So both certs are working fine. But with caching activated, I can't actually see what's happening between the origin and the CDN.

In CloudFlare I have Full (Strict) SSL activated. Ostensibly this means traffic is encrypted between the origin and CDN. But is there a way to confirm this independantly?

cloudflare crypto

One method I know is to use Netstat at the origin to check which port is taking the traffic. Netstat is installed but I don't have root SSH access to it. ss is not installed. I do have Python installed and was able to execute a Hello World python script. I don't have Java installed. wget works and can download files. Is there any other method?

1
sslencryptionhttpscloudflare
What access do you have to your server? - Hack-R
@Hack-R cPanel and SSH access without sudo privileges. So if there's another command line program similar to netstat, feel free to mention it as it may be installed. And may have value to others regardless. - James Jones
Is Java and/or Python installed? Can you wgetand run jar or py programs? Also, see if ss is installed. Netstat was deprecated by ss. - Hack-R
@Hack-R Edited main q with answers to your questions. - James Jones
OK great so you can use Python to do this then. from socket import * - Hack-R

1 Answers

0
votes

Assuming Apache, modify your VirtualHost, add an entry to check and modify your logs.

Here's an answer, https://serverfault.com/a/359482/266552

Option 2, log the port

Here's an answer from that same thread, https://serverfault.com/a/665620/266552

Option 3, redirect all HTTP requests to HTTPS.

Option 3a, you could use mod_rewrite:

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context

https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

Option 3b, an alternative without mod_rewrite:

<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost _default_:443>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
   # etc...
</VirtualHost>

Replace #etc... with the rest of your configuration.

https://wiki.apache.org/httpd/RedirectSSL