Cloudflare: Configure Zone settings (Terraform)
Make sure
-
the WAF is configured in logging only mode. It should NOT block any traffic, yet. -
the zone is in development mode. This will turn off all cloudflare-side caching.This does not make sense, we have the page rules for this (https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/8620) -
the TLS origin setting is set to Strict (SSL-Only Origin Pull)
- This makes sure, that Cloudflare never talks to our origin unencrypted. This also means, that our HTTP backend would never be reached, so we need to make sure, that HTTP requests are getting redirected within Cloudflare. Otherwise a HTTP request would reach our HTTPS backend.
-
Always Use HTTPS
is turned on. -
Minimum TLS Version
is set to 1.2 (this is the currently supported minimum version on our HAProxy, too) -
Universal SSL
is enabled.* We will continue to use our regular certificate on the HAProxy fleet for now. But eventually switch to a Cloudflare CA issued long-running certificate to reduce the maintenance burden.Handled in https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/9391
Edited by Graeme Gillies