[mlissner]

That doesn't actually create a properly encrypted connection. It only encrypts between the user and the site (at CloudFlare), not between the site and Github. Without that last hop being encrypted, you have to weigh whether this is an improvement or not.

[JeremyBanks]

It significantly decreases the attack surface, since most of the connection will be encrypted inside CloudFare's network or over HTTPs. Should be a clear win for most cases.

[nsgi]

You can now actually use CloudFlare to issue a custom certificate for your origin server that it will accept (CloudFlare Origin CA), but of course GitHub pages won't support installing it.

[manigandham]

Yes it does - this is all a setting you can choose and since Github does support HTTPS (and has for a while) you can always set it on "strict" and ensure a continuous encrypted connection on both sides of CloudFlare.

[MichaelGG]

But what certificate will Github present for your custom domain? I don't think you can tell CF to accept Github pages's cert for your own domain. They either use their own CA or don't do auth, right? At least on non-enterprise plans.

[manigandham]

CloudFlare is what serves your custom domain.

On the backend you point CloudFlare to https://username.github.io and CF will receive the wildcard certificate for *.github.io

[georgyo]

This is where the breakdown is. Cloudflare will get the certificate for *.github.io, however it is making the request for the custom domain. It is unable to validate the certificate.

It is impossible to enable "strict" SSL mode, because it cannot validate the certificate. And as such, a bad if able to trick cloudflare to resolve username.github.io to themselves could use any SSL certificate they choose.

This is admittedly an edge case, but in such an event, the end user would see a trusted certificate and be proxied to a bad site.

[manigandham]

You're right - the request to the origin will be encrypted but not fully validated since the host header will be different. It's still an encrypted connection though which is what the OP was asking about.

[MichaelGG]

How do you do that in CloudFlare? I didn't know you could change the host in non-enterprise versions. All I've seen is the ability to proxy request to a specific IP or CNAME.

If you CNAME your site to foo.github.com, it doesn't change the R-URI or Host header.

[2bitencryption]

https://www.benburwell.com/posts/configuring-cloudflare-univ...

[MichaelGG]

That article doesn't address what I said at all. That's showing how to disable encryption on the backend (CF to Github) by selecting "Flexible".

Looking at CF's help again and having used them a bit, there seems to be no way at all to enable full encryption (user-CF-github) with CF's non-enterprise offerings. This is because the request from CF to Github is still requested with your domain name (TLS and host header).

In order for it to work with Github's *.github.io cert, Cloudflare would need to offer an option to rewrite the request itself, not just proxy it.

[dadrian]

That doesn't work with Github because the cert doesn't match the custom domain.