Putting Sakai Behind Cloudflare

I love Cloudflare.  I use it extensively for any production server I support.  I use it for https termination, DDOS mitigation, performance improvement for static content, super flexible DNS management and many more things.

In building my support for IMS LTI Advantage I decided I just needed a server that would run a particular tag or branch of Sakai in production for basic testing rather than pushing everything to master and waiting until the nightly server went through the rebuild.

Here are my notes on putting Sakai behind Cloudflare.

– In CloudFlare under “Overview” Make sure SSL is “Flexible” to keep CloudFlare talking on the backend on port 80

– In CloudFlare, under “Crypto” turn on “Always use HTTPS” and “Automatic HTTPS Rewrites”

– In the sakai server in the file ./apache-tomcat-8.0.30/conf/server.xml set up the connector like this

<Connector port="80" 
    protocol="HTTP/1.1"   
    connectionTimeout="20000" 
    scheme="https"  />

This runs an http (port 80) without requiring any key fussing.  Since Cloudflare does the SSL we don’t need it in Tomcat.   See https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Interestingly, one thing I did not need to do was adjust the caching for the “/library” urls in Sakai.   Sakai sets all the headers so well that Cloudflare needs no further guidance and neither does the browser.  Just as a simple test, the actual un-cached download for the initial page in Sakai Prior to login is 8.8KB.  That is *KILO-BYTES*.  A normal post-login page in Sakai’s Lessons is 31.4 KB  data transferred. Amazingly low bandwidth usage for an enterprise application like Sakai.

Pretty cool.