# Custom SSL

## Prerequisites

First ensure your pod has a custom DNS assigned to it.  This guide shows you how:

{% content-ref url="custom-dns" %}
[custom-dns](https://docs.stackos.io/stackos-docs/operations/custom-dns)
{% endcontent-ref %}

## Choose your SSL Mode

Flexible SSL encrypts the data from Cloudflare to the End User, but does not enforce encryption between your Pod and Cloudflare.  This is fine for most cases where information is meant to be public (most informational websites and DApps without user specific info being served)

Strict SSL encrypts the data both from CloudFlare to the End User as well as the data between your Pod and Cloudflare.  This is best when you are serving sensitive data such as personal user info (common with Web2 based sites with personal information kept behind a login)

Flexible provides the fastest setup and Strict provides a more complete encryption solution with a few more technical steps.

Both options are completely valid which is why they are both supported.  Pick the one that matches your requirements best.

## Cloudflare Flexible SSL

In CloudFlare, navigate to SSL/TLS > Overview

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2F6uBUPf1e5ubh9rrye4cn%2Fimage.png?alt=media\&token=722bd6bc-4c0a-4523-aa49-3e597bedf658)

Select Flexible&#x20;

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FmmEghAl6Ptpfjd43ZU2n%2Fimage.png?alt=media\&token=d2b22d7e-1158-4b89-9c85-b0417d1c7075)

## Cloudflare Strict SSL

The following will REQUIRE you to use Cloudflare to create an SSL Certificate. &#x20;

## Generate Origin Certificate

Go to your domain in Cloudflare and manage your "Origin Server" certificate

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FLRiqnGBAYrXDG3XVQ7F2%2Fstackos-origin-0.png?alt=media\&token=274108e8-7a57-44ec-91a8-78c9649fd709)

Create a Certificate

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FPdTxCsypxREm0jxWoh7T%2Fstackos-origin-1.png?alt=media\&token=9e4c6ad8-bbe8-4fcd-8cb4-f5fcba8c659e)

Configure your certificate type, domains and lifetime

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FDdUyvhQsPGVdRtbFA5F6%2Fstackos-origin-2.png?alt=media\&token=c5694b45-00fc-4d70-b1f1-f32fe253548a)

Copy the Certificate and Key and paste into StackOS Pod Configuration

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2Fek55rqLKdb5ohTrohMpF%2Fstackos-origin-3.png?alt=media\&token=2ff9b61d-e576-4cb2-b72c-f614a2f7d591)

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FBFrRo2yyHd1DMpRyQuSA%2Fimage.png?alt=media\&token=e0ab93f7-a9f6-4ed8-b83f-6f518a284e77)

Your should see your certificate listed

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FC3lqw0aZRa0dDNDba80u%2Fstackos-origin-4.png?alt=media\&token=01c62e1f-46ec-4641-abb4-6275ba992e53)

## Enable Cloudflare Strict Mode

Activate this style of Origin certificate in two ways:

1\) By default for all subdomains of your domain

2\) ONLY for a single domain.

### For all subdomains

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FN31YNakOQiZPmueUOBwe%2Fstack-cf-ssl-strict.png?alt=media\&token=6b33640a-22a0-4c5d-a330-db96274683fb)

### For a single domain

Go to Rules > Page Rules

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FFegBO7pZOSIELqpD2UxY%2Fstack-cf-ssl-pagerule.png?alt=media\&token=208f4d8c-7f2a-43f0-b697-0001c7d860f7)

Create Page Rule

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FN3iEVihR6ispcMZQJWSz%2Fimage.png?alt=media\&token=81118ca3-4ed1-4fe2-a6d4-f099732f1508)

Configure Page Rule

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FTOIX0hBYLWNlCwzyv4hD%2Fstack-cf-ssl-pagerule-2.png?alt=media\&token=57681f33-23ef-452a-8f8e-edd20f5d9c80)

Resulting Page Rule

![](https://595251010-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Ml8spdZ1HNNSGfvTi3F%2Fuploads%2FOcydGWb2TSy1jEZKFE59%2Fstack-cf-ssl-pagerule-1.png?alt=media\&token=4b191e3d-5c2e-47f1-b42f-e2b3c074e435)