I’ve been a long time user of Dreamhost^[1] although have, over time, let most of the various projects I host there fall into neglect. On coming back to starting this blog I decided to check out what new things were available along with the standard hosting account. I was quite happy to learn that Dreamhost support Cloudflare® and Let’s Encrypt so I decided to have a bit of an experiment with them.

HTTPS

You might think, “what’s the point in HTTPS enabling some stupid little blog?” Well stop thinking that. Browsers are increasingly moaning when content is served over HTTP. In the US the FCC rules regarding ISP sale of customer browsing data have been overturned and using HTTPS goes someway towards protecting ones privacy.

Cloudflare

I was initially looking at doing these steps as a way to create an HTTPS site for zero budget above what I was already paying Dreamhost. And yes, I could just use Dreamhost’s support for Let’s Encrypt directly, but setting up a site via Cloudflare gives some additional benefits, namely having your content served from a global content distribution network, DDoS protection and more. Since it’s free and easy to setup it seems like a no-brainer really.

WWWhatnow?

Dreamhost allow you to setup Cloudflare directly from the panel, however there is a bit of a gotcha with that. Because Dreamhost are keeping management of the DNS, the integration with Cloudflare is using CNAME records for www.domain.com. That’s a bit sucky in all honesty, and if you plan on using a whole bunch of subdomains, app1.domain.com, app2.domain.com it’s all just going to get a bit ugly.

So I pretty quickly reversed tack on this and unconfigured Cloudflare directly within the Dreamhost Panel.

DNS at Cloudflare

It’s not a great deal more effort to allow Cloudflare to host the DNS for your domain, so that is what I did. This way I can use A records pointing at the IP of my website at Dreamhost and dispense with the added www CNAME.

The astute reader will realise that websites on standard Dreamhost plans can be moved between instances, and hence have their IP change. This is indeed a downside of using this method over the Dreamhost panel. However because both Cloudflare and Dreamhost have APIs this is something that can be managed - more of which in a later post - i.e. I’ve not set it up yet.

End to end SSL

In the first instance we have Cloudflare terminating HTTPS connections to a back-end HTTP endpoint at Dreamhost. Wouldn’t it be better if we could force the whole thing to be SSL encrypted? It turns out that this is super-easy because of Dreamhost’s built-in support for Let’s Encrypt SSL certificates. It’s a simple case of applying for a Let’s Encrypt certificate through the Dreamhost panel, then setting your Cloudflare account to either Full or Full (strict). Note that initially Dreamhost install a self-signed certificate, so only Full mode will work until the Let’s Encrypt certificate is installed after which full mode will work.

In order to force use of HTTPS a page rule can be created on cloudflare for http:*.domain.com with the action ‘Always use HTTPS’.

Paranoid Android

The super-paranoid will point out that you are trusting Cloudflare to terminate SSL traffic, which means that they could theoretically eavesdrop on traffic secured this way. This is true, but I think the additional benefits of a global CDN are worth it.

Update

After working well for months, some problems developed with Dreamhost’s ability to renew the Let’s Encrypt certificate.

Note 1

This is an affiliate link - if you sign up to shared hosting at Dreamhost you’ll get a $50 saving and I’ll get $47 credited to me.