The short version: switching on Cloudflare does not finish SSL for a VPS. You are securing two separate connections, one from the visitor to Cloudflare, and another from Cloudflare to your server. If the second part is weak or misconfigured, you can still end up with redirect loops, trust errors, or an origin that is less protected than it looks from the browser.
For a business site or client stack, that distinction matters. The wrong SSL mode can quietly leave the origin unencrypted, break forms or checkouts with redirect issues, and create operational pain during maintenance. The right setup is usually simple once you decide whether your VPS should be reachable directly or only through Cloudflare.
Start With the Right SSL Model
Cloudflare presents a public certificate to browsers at the edge. Your VPS still needs its own certificate for the connection from Cloudflare to Nginx. For most production sites, the best default is Full (strict), which means Cloudflare validates the certificate on your origin instead of accepting anything or falling back to HTTP.
- Choose Cloudflare Origin CA if the hostname should only ever be reached through Cloudflare.
- Choose a public certificate if your team, monitors, load balancers, or maintenance workflows need direct HTTPS access to the server.
- Avoid Flexible on a VPS you control. It is the legacy shortcut that most often creates confusion and mixed redirect behavior.
If you manage multiple client sites, this decision saves a lot of future cleanup. It determines how you test, how you monitor, and what happens when someone turns the proxy off during an incident.
Recommended Setup for Most VPS Sites
For a normal Nginx site sitting behind Cloudflare, the clean pattern is:
- Keep the DNS record proxied in Cloudflare.
- Let Cloudflare issue the public edge certificate automatically.
- Create an Origin CA certificate in Cloudflare for the exact hostnames you need.
- Install that certificate on Nginx.
- Set Cloudflare SSL/TLS mode to Full (strict).
- Turn on Always Use HTTPS in Cloudflare so HTTP-to-HTTPS enforcement happens at the edge.
This works well because each layer has one job. Cloudflare handles the browser-facing certificate and the global redirect behavior. Your VPS only needs to serve HTTPS correctly on port 443 and stay predictable.
A minimal Nginx server block looks like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/cloudflare/origin.pem;
ssl_certificate_key /etc/ssl/private/cloudflare-origin.key;
root /var/www/example/public;
index index.html index.php;
}After updating Nginx, validate the configuration and reload it:
sudo nginx -t
sudo systemctl reload nginxOne practical note for agency teams: standardize certificate paths, server block naming, and handover notes across client VPS environments. That turns SSL from tribal knowledge into a repeatable operating pattern.
When a Public Certificate Is the Better Choice
Cloudflare Origin CA is convenient, but it is not browser-trusted if someone bypasses Cloudflare and connects to the VPS directly. That is fine for pure proxy-only traffic. It is not fine if you use direct origin monitoring, a staging hostname outside Cloudflare, gray-cloud maintenance windows, or third-party access that hits the server over HTTPS.
In those cases, install a publicly trusted certificate on the VPS. For Nginx, Certbot is still the practical option. Use the current OS-specific install guide on Certbot's site, then run:
sudo certbot --nginx
sudo certbot renew --dry-runIf you use the Nginx plugin, the site normally needs to be reachable on port 80 during HTTP validation. If that does not fit your environment, switch to a DNS-based validation flow instead.
Avoid the Common Failure Modes
- Redirect loops: decide whether HTTPS forcing lives at Cloudflare or at the origin. Do not stack competing redirects unless you have mapped the exact request flow.
- Mixed content: SSL does not fix hard-coded
http://links to images, scripts, or fonts inside the application. - Gray-cloud surprises: if you rely on Origin CA and later disable proxying, visitors can see certificate trust errors because the origin cert is not meant for direct browser trust.
- False confidence: a browser padlock only proves the browser-to-Cloudflare leg is working. Your origin certificate and SSL mode still need to be correct.
What Good Looks Like for an Ops Team
A sensible baseline is straightforward: Cloudflare proxy enabled, edge certificate active, origin certificate installed, Full (strict) selected, and one clearly owned redirect policy. If you manage your own public origin certificates, add renewal testing and expiry monitoring. If you use Origin CA, track certificate validity in your own inventory because long-lived origin certs are easy to forget until a rebuild or migration exposes the gap.
That setup is not just more secure. It is easier to support. Business owners get fewer avoidable SSL issues. Operations leads get a cleaner rollback path. Agencies get a setup they can reproduce across multiple VPS-based client sites without reinventing the rules each time.
Need a Second Set of Eyes?
If your Cloudflare and VPS setup has grown by trial and error, a short technical review usually finds the weak spots fast: the wrong SSL mode, duplicate redirects, an origin certificate that no longer matches the workflow, or an Nginx config that nobody wants to touch. If you want Greg to review the setup before it becomes a production problem, get in touch.
Need help with this kind of work?
Ask Greg to review your Cloudflare setup Get in touch with Greg.