SSL Modes

You can access the TLS mode option by clicking on the TLS link in your domain dashboard and then on the Settings tab:

ssl mode

Available modes

1. disabled

TLS traffic to your site is disabled, only unencrypted http traffic will be allowed.

2. passthrough

Any https requests to your site will be 'passed through' to your site without any action by Peakhour. No content will be optimised and the WAF will be inactive.

3. enabled

This requires a certificate to be installed within the Peakhour admin (see below), https traffic will be terminated at Peakhour and Peakhour will make http requests to your origin server.

4. enabled + ssl client

This requires a certificate to be installed within the Peakhour admin (see below), traffic will be https to Peakhour and we will only use https to communicate with your origin server.

Uploading your own TLS Certificate

If you already have an TLS certificate for your website you can upload it to Peakhour so we can use it to accept incoming requests to your site. To upload click on the TLS link in your domain dashboard and click on the 'installed certificate' tab:

ssl upload

You will need your private key and certificate, which must include the full certificate chain. Once installed you can download or replace your certificate as shown here:

ssl installed

Free Lets Encrypt Certificate

All Peakhour customers have the option of using a free, dedicated, Lets Encrypt Certificate for https traffic on their domain. Peakhour handles the installation and renewal automatically. When you sign up with Peakhour we will automatically apply for the certificate as soon as we detect that you have successfully pointed your domain to the Peakhour service. However, if you install your own certificate before pointing your domain Peakhour will not apply.

Once the certificate is installed we will automatically switch your TLS mode to enabled to start accepting https traffic on your domain.

You can still upload your own custom certificate at any time after the Lets Encrypt certificate is installed.


HSTS (HTTP Strict Transport Security)

HSTS options can be found under the HSTS tab of the TLS section of your domain dashboard.

HSTS is a web standard that helps to protect websites against protocol downgrade attacks and cookie hijacking. By enabling it you are declaring that users should only interact with your site via a secure HTTPS connection. **It should only be enabled once you have confirmed your site works properly over https and has no mixed content issues.

The HSTS Policy is sent to the user agent via a HTTPS response header field named "Strict-Transport-Security". The policy specifies a period of time during which the user agent should only access the server via HTTPS.

As the policy header is only sent over HTTPS end users can still interact with the website using HTTP, to ensure you ONLY receive traffic via HTTPS you will have to set up a 301 redirect to switch requests.

TLS ciphers

Cipher options are available under the Ciphers tab of the TLS section of your domain dashboard. You should not have to touch these settings.

By default Peakhour only allows browsers that support modern ciphers to access your ssl enabled site via HTTPS. However if you need to allow access to legacy browsers that don't support modern ciphers you can do so under this section. Our list of preset profiles are taken from Mozilla's tls profiles