TLS

Transport Layer Security (TLS) is a crucial aspect of website security that ensures that data exchanged between a client and a server is protected from eavesdropping, tampering, or interception. Peakhour offers a range of options for configuring TLS for your website, from disabling it to using your own certificate or a free Lets Encrypt certificate.

TLS Modes#

Peakhour provides four modes for configuring TLS for your website:

1. Disabled: TLS traffic to your site is disabled, and only unencrypted HTTP traffic will be allowed.
2. Passthrough: Any HTTPS requests to your site will be passed through to your origin server without any action by Peakhour, and the WAF will be inactive.
3. Enabled: This mode requires a certificate to be installed within the Peakhour dashboard. HTTPS traffic will be terminated at Peakhour, and Peakhour will make HTTP requests to your origin server.
4. Enabled + SSL client: This mode also requires a certificate to be installed on the origin server. Traffic will be HTTPS to Peakhour, and Peakhour will only use HTTPS to communicate with your origin server.

You can access the TLS mode option by clicking on the TLS link in your domain dashboard.

Uploading your own TLS Certificate#

If you already have a TLS certificate for your website, you can upload it to Peakhour so that we can use it to accept incoming requests to your site. To upload your certificate, click on the TLS link in your domain dashboard and click on the 'installed certificate' tab. You will need your private key and certificate, which must include the full certificate chain. Once installed, you can download or replace your certificate at any time.

Lets Encrypt Certificates#

All Peakhour customers have the option of using a free, dedicated, Lets Encrypt certificate for HTTPS traffic on their domain. Peakhour handles the installation and renewal automatically. When you sign up with Peakhour, we will automatically apply for the certificate as soon as we detect that you have successfully pointed your domain to the Peakhour service. However, if you install your own certificate before pointing your domain, Peakhour will not apply.

Once the certificate is installed, we will automatically switch your TLS mode to enabled to start accepting HTTPS traffic on your domain. You can still upload your own custom certificate at any time after the Lets Encrypt certificate is installed.

TLS Ciphers#

Peakhour offers advanced options for configuring TLS, including TLS ciphers. Cipher options are available under the Ciphers tab of the TLS section of your domain dashboard. By default, Peakhour only allows browsers that support modern ciphers to access your SSL-enabled site via HTTPS. However, if you need to allow access to legacy browsers that don't support modern ciphers, you can do so under this section. Our list of preset profiles is taken from Mozilla's tls profiles.

Mozilla defines ciphers used in Transport Layer Security (TLS) as old, intermediate, and modern. The categorization is based on the security level offered by the ciphers and their compatibility with various browsers and devices.

• Old ciphers are those that provide weaker security and are less compatible with modern browsers and devices. These ciphers include DES and RC4.
• Intermediate ciphers are those that provide better security than old ciphers but are not considered as secure as modern ciphers. These ciphers include 3DES and AES-128.
• Modern ciphers are those that offer the strongest security and are compatible with the latest browsers and devices. These ciphers include AES-256 and ChaCha20.

Mozilla recommends using modern ciphers for Transport Layer Security (TLS) connections to ensure the highest level of security for web traffic. However, if compatibility with legacy devices and browsers is a concern, intermediate ciphers may be used. Old ciphers should be avoided as they provide weaker security and may be vulnerable to attacks.

Configuring TLS for your website with Peakhour is simple and flexible, with options for disabled, passthrough, enabled, and enabled + SSL client modes, as well as the ability to upload your own certificate or use a free Lets Encrypt certificate. Advanced options are also available for configuring TLS ciphers.