Share this post on:

You’d think that SSL would be easy, and apparently it is once you guess at it long enough.

One of the milestones that we’ve decided to focus on before the game leaves beta and finally launches is to have SSL enforced on all of our urls. Is it for security? I guess by definition it is, but there’s a better reason to get SSL implemented..

Just look at that sexy secure connection lock!

So, how do we implement this gorgeous lock? Go to Cloudflare > SSL/TLS > Strict. Bam. Lock enabled. Easy right?

Wrong.

Turns out you can’t just enable SSL and call it a day if you connect to a non-SSL server from the SSL page.. You need to sign a certificate and implement it on your server. Okay, that sounds easy enough. There’s plenty of guides for Apache, IIS, NGINX, cPanel… Okay, where’s the custom software guide? Well, there isn’t one.

After following a handful of guides and several coffees, I ended up giving up. It’s tomorrow’s problem.

The solution?

We had a side problem with account verification emails where users weren’t able to reach the verification URL due to a lack of proper SSL implementation. A user took out the port from the verification email and found out the browser just defaults to port 80 anyway, so there was no reason to be posting that in the url. When removed, the browser just assumes that Cloudflare’s SSL certificate is correct and proceeds normally.

So what’s the solution? Enable Cloudflare’s SSL as Flexible, enable SSL on the website, but don’t enable SSL on the game server. Cloudflare will encrypt all traffic from the client to the website, but not from there to the game server. It’s not the perfect solution, as someone could technically do a mitm attack, but as SSL is enabled between the client and the website, their data is only in a compromising position between the game server and Cloudflare’s servers.

End of part 1.

While I am admitting defeat, it is nice to admit defeat with a gold medal. At the end of the day, it does need to be fixed, but on the plus side, we did end up getting that gorgeous SSL badge and a game that still works.

When possible I’m going to dig more into setting this up again, but at the moment it’s low on the priority list.

Share this post on:
Avatar nicholas

Author: nicholas

Related Posts

Dynamic DNS

Leave a Comment

Your email address will not be published. Required fields are marked *