How to Set Up HTTPS for Self-Hosted Websites (SSL & Cloudflare Guide)

By /

HTTPS is no longer optional. In 2025, every self-hosted website must use HTTPS to protect user data, improve SEO rankings, and avoid browser “Not Secure” warnings.

This guide explains how to set up HTTPS correctly for self-hosted websites using SSL certificates, Let’s Encrypt, and Cloudflare. You’ll also learn how HTTPS works, common mistakes developers make, and how to secure your site the right way.

HTTPS is mandatory for security and SEO. This guide explains SSL certificates, HTTPS handshakes, and common mistakes developers make while enabling HTTPS.

We also cover how Cloudflare simplifies HTTPS for self-hosted servers.

In 2025, setting up HTTPS for a self-hosted website is a standard security requirement to encrypt data in transit and avoid “Not Secure” browser warnings. 
1. Choose Your Method
Depending on whether your server is exposed to the internet or strictly internal, choose one of these primary methods:
  • Public-Facing with Let’s Encrypt (Recommended): Use Let’s Encrypt for free, globally trusted certificates. This requires a domain name pointed at your server’s public IP.
  • Cloudflare Tunnels (Simplest for Home Servers): Use Cloudflare Tunnel to expose local services to the internet securely without port forwarding on your router. Cloudflare handles the SSL/TLS termination automatically.
  • Strictly Internal (Local Only): Use a tool like mkcert to create locally trusted certificates for development or private home labs. 
2. Implementation Steps
For a standard public-facing setup using a Linux server (Nginx/Apache):
  1. Domain Setup: Register a domain and create an A record pointing to your server’s IP address.
  2. Open Ports: Ensure ports 80 (HTTP) and 443 (HTTPS) are open on your server’s firewall and forwarded on your router.
  3. Install Certbot: Use Certbot, the standard ACME client, to automate certificate issuance and renewal.
    • Command: sudo certbot --nginx (or --apache).
  4. Automatic Renewal: Verify that a cron job or systemd timer is active to renew certificates every 90 days. 
3. Hardening the Configuration
To achieve an “A+” security rating in 2025:
  • Force HTTPS: Configure a 301 redirect from HTTP to HTTPS in your server’s configuration file (e.g., return 301 https://$host$request_uri; for Nginx).
  • Enable HSTS: Add the Strict-Transport-Security header to force browsers to always use HTTPS for your domain.
  • Update Protocols: Disable outdated protocols like TLS 1.0 and 1.1; ensure TLS 1.2 and TLS 1.3 are enabled.
  • Check for Mixed Content: Use browser developer tools (F12) to ensure all scripts, images, and CSS are loaded over https:// to avoid browser warnings. 
4. Testing Your Setup
After installation, use the Qualys SSL Labs Test to analyze your certificate’s strength and identify potential configuration vulnerabilities. 
To get the most out of this, we can explore setting up a Cloudflare Tunnel or using mkcert for local development. Which path are you interested in?
Cloudflare Tunnel setup
mkcert for local dev

### Force HTTPS in Nginx
“`nginx
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}

# How to Set Up HTTPS for Self-Hosted Websites

Add Structured Headings

## Why HTTPS Is Mandatory in 2025

## How HTTPS Works (SSL/TLS Handshake Explained)

## Choosing the Right HTTPS Setup Method
### Public-Facing Servers Using Let’s Encrypt
### Cloudflare Tunnel for Home Servers
### HTTPS for Local Development Using mkcert

## Step-by-Step HTTPS Implementation

## Hardening HTTPS Configuration for Maximum Security

## Common HTTPS Mistakes Developers Make

## How to Test Your HTTPS Setup

## Cloudflare vs Let’s Encrypt vs mkcert

## Frequently Asked Questions (FAQs)

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top