By Greg Nowak. Last updated 2026-06-30.
Putting a VPS behind Cloudflare does not finish SSL by itself. It creates two separate TLS paths: the visitor-to-Cloudflare connection at the edge, and the Cloudflare-to-origin connection back to your VPS. The browser padlock only proves the first path is working. Your origin still needs the right certificate, SSL/TLS mode, redirect policy, and operating notes.
That distinction matters for business owners, operations leads, and agency teams. A weak setup can create redirect loops, broken forms, failed checkouts, confusing monitoring alerts, or a site that looks secure in the browser while the origin is not configured the way the team thinks it is. The work is not complicated, but the decisions should be deliberate.
Start with the right SSL mode
For most production VPS sites you control, use Full (strict). In this mode, Cloudflare connects to your origin over HTTPS and validates the origin certificate. Cloudflare expects the origin certificate to be unexpired, match the requested hostname, and be issued by either a publicly trusted certificate authority or Cloudflare Origin CA.
Avoid Flexible for a VPS you manage. Flexible encrypts traffic between the visitor and Cloudflare, but Cloudflare can still connect to the origin over HTTP. That is where many avoidable redirect loops and false assumptions begin.
| VPS access pattern | Best certificate choice | Operational note |
|---|---|---|
| Public traffic should only pass through Cloudflare | Cloudflare Origin CA | Keep DNS proxied and document that direct browser access will not trust the origin certificate. |
| Monitoring, vendors, or staff need direct HTTPS access | Publicly trusted certificate | Use an ACME flow such as Certbot and test renewal. |
| The proxy may be disabled during maintenance | Publicly trusted certificate | Avoid Origin CA for hostnames that may be exposed directly to visitors. |
| The origin should reject non-Cloudflare traffic | Origin CA plus origin protection | Add firewall allowlists, Authenticated Origin Pulls, or a tunnel-based design. |
The clean setup for most Nginx VPS sites
For a normal Nginx site where visitors should always arrive through Cloudflare, keep the pattern simple:
- Keep the DNS record proxied in Cloudflare.
- Let Cloudflare manage the public edge certificate.
- Create a Cloudflare Origin CA certificate for the exact hostnames you serve.
- Install the origin certificate and private key on the VPS.
- Configure Nginx to serve HTTPS on port 443.
- Set Cloudflare SSL/TLS mode to Full (strict).
- Choose one owner for HTTP-to-HTTPS redirects.
A minimal Nginx server block can look like this:
server {
listen 443 ssl;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/cloudflare/origin.pem;
ssl_certificate_key /etc/ssl/private/cloudflare-origin.key;
root /var/www/example/public;
index index.html index.php;
}After updating the server block, validate and reload Nginx:
sudo nginx -t
sudo systemctl reload nginxFor agency teams, standardize the boring parts across client environments: certificate paths, server block naming, handover notes, and who owns redirects. That turns SSL from tribal knowledge into a repeatable operating procedure.
When a public certificate is the better choice
Cloudflare Origin CA is useful when the origin only receives traffic from proxied Cloudflare records. It is not meant to be trusted directly by normal browsers. If someone pauses Cloudflare or disables proxying for a hostname using an Origin CA certificate, visitors can see certificate warnings.
Use a publicly trusted certificate when your workflow needs direct HTTPS access to the VPS. That includes uptime checks outside Cloudflare, vendor access, staging patterns, emergency gray-cloud operation, or infrastructure where a load balancer connects without Cloudflare in front.
Certbot remains a practical option for Nginx-managed servers, but use the current OS-specific install instructions rather than copying an old package command from a blog post. The useful operational commands are still:
sudo certbot --nginx
sudo certbot renew --dry-runIf the HTTP-01 challenge is used, validation happens on port 80. If that does not fit your environment, use DNS-01 validation instead. DNS validation takes more setup, but it can work when port 80 is unavailable and is also the route for wildcard certificates.
Make redirects boring
Redirect loops usually appear when Cloudflare, Nginx, and the application are all trying to enforce scheme or hostname rules at once. Any one layer can be correct. Multiple layers can still produce messy behavior together.
For many business sites, the simplest model is to enable Cloudflare's Always Use HTTPS so visitor HTTP requests are redirected at the edge, while Nginx simply serves HTTPS correctly. Cloudflare notes that origin-side redirects can cause loop errors, so if you prefer origin-owned redirects, keep the Cloudflare redirect setting off and document that choice.
Forcing HTTPS will not fix mixed content. Hard-coded http:// assets, old CMS settings, fonts, scripts, and third-party embeds still need to be cleaned up. After changing SSL modes, test the contact forms, checkout, login, admin area, and any webhook or API callback that depends on the public URL.
Do not leave the origin exposed by accident
Full (strict) validates the TLS connection, but it does not automatically stop someone from hitting the VPS directly by IP address. For higher-value sites, close that gap. Options include firewall rules that allow Cloudflare IP ranges, Authenticated Origin Pulls, Cloudflare Tunnel, or other origin access controls that fit your stack.
Also track certificate ownership. Cloudflare currently says it does not send expiration notifications for Origin CA certificates, so long-lived origin certificates should still go into your own inventory or monitoring. Public certificates need renewal testing and alerting. Neither model should depend on someone remembering what was installed two years ago.
A useful handover checklist
A maintainable setup should leave the next operator with clear answers: SSL/TLS mode, certificate type, hostname coverage, expiry or renewal process, DNS proxy status, redirect owner, open ports, and any firewall or Authenticated Origin Pulls configuration. That small note can save hours during a migration or incident.
If your Cloudflare and VPS setup has grown by trial and error, a focused review usually finds the weak spots quickly: Flexible mode still enabled, duplicate redirects, an origin certificate that does not match the workflow, or a VPS that can be bypassed directly. Greg can review the configuration, clean up the decision path, and leave your team with something easier to operate.
Related on GrN.dk
- Nagios check_http notes for practical HTTPS monitoring
- AI Crawler Control for Business Websites: Protect Content Without Sacrificing Search Visibility
- Cloudflare's Enforce DNS-Only Switch Makes Origin Readiness a Real Incident Drill
Need help with this kind of work?
Ask Greg to review your Cloudflare SSL setup Get in touch with Greg.