Skip to content
Cloudflare Docs

3 – Configure HTTPS settings

After setting up basic DNS records, you can configure zone settings using Terraform. This tutorial shows how to enable TLS 1.3, Automatic HTTPS Rewrites, and Strict SSL mode using the updated v5 provider.

Prerequisites

  • Completed tutorials 1 and 2
  • Valid SSL certificate on your origin server (use the Cloudflare Origin CA to generate one for strict SSL mode)

1. Create zone setting configuration

Create a new branch and add zone settings:

Terminal window
git checkout -b step3-zone-setings

Add the following to your main.tf file:

# Enable TLS 1.3
resource "cloudflare_zone_setting" "tls_1_3" {
  zone_id    = var.zone_id
  setting_id = "tls_1_3"
  value      = "on"
}


# Enable automatic HTTPS rewrites
resource "cloudflare_zone_setting" "automatic_https_rewrites" {
  zone_id    = var.zone_id
  setting_id = "automatic_https_rewrites"
  value      = "on"
}


# Set SSL mode to strict
resource "cloudflare_zone_setting" "ssl" {
  zone_id    = var.zone_id
  setting_id = "ssl"
  value      = "strict"
}

2. Preview and apply the changes

Review the proposed changes:

Terminal window
terraform plan

Expected output

Plan: 3 to add, 0 to change, 0 to destroy.


Terraform will perform the following actions:


  # cloudflare_zone_setting.automatic_https_rewrites will be created
  + resource "cloudflare_zone_setting" "automatic_https_rewrites" {
      + setting_id = "automatic_https_rewrites"
      + value      = "on"
      + zone_id    = "your-zone-id"
    }


  # cloudflare_zone_setting.ssl will be created
  + resource "cloudflare_zone_setting" "ssl" {
      + setting_id = "ssl"
      + value      = "strict"
      + zone_id    = "your-zone-id"
    }


  # cloudflare_zone_setting.tls_1_3 will be created
  + resource "cloudflare_zone_setting" "tls_1_3" {
      + setting_id = "tls_1_3"
      + value      = "on"
      + zone_id    = "your-zone-id"
    }

Commit and merge the changes:

Terminal window
git add main.tf
git commit -m "Enable TLS 1.3, automatic HTTPS rewrites, and strict SSL"
git checkout main
git merge step3-zone-settings
git push

Before applying the changes, try to connect with TLS 1.3. Technically, you should not be able to with default settings. To follow along with this test, you will need to compile curl against BoringSSL.

Terminal window
curl -v --tlsv1.3 https://www.example.com 2>&1 | grep "SSL connection\|error"

As shown above, you should receive an error because TLS 1.3 is not yet enabled on your zone. Enable it by running terraform apply and try again.

Apply the configuration:

Terminal window
terraform apply

Type yes when prompted.

3. Verify the settings

Try the same command as before. The command will now succeed.

Terminal window
curl -v --tlsv1.3 https://www.example.com 2>&1 | grep "SSL connection\|error"