Any reason to not use Full Encryption Mode?

mapplebaum · April 25, 2020, 5:29pm

Hi,

I recently imported all our CNAME records, including those for a web-based application with our domain in it (app . ourdomain . org), and it caused a redirect loop.

The web application’s server was already redirecting from http to https, and apparently Cloudflare was redirecting users back to http, causing a loop, crashing the app’s server.

They’re asking if we can turn on full encryption mode.

Would there be any negative results if I did this? Our other records include:

NS records

A records for our main website

MX records

TXT records for Office 365

SRV records for Lync/Skype

CNAMEs for (I had to alter these so they don’t appear as actual links): outlook autodiscover, lync, login microsoftonline com, clientconfig.microsoftonline-p.net, sipdir-lync, and our VPN.

As an alternative, they suggested that we switch the CNAMEs for their app from Proxied to DNS only, which I’ve now done.

Thank you!

sdayman · April 25, 2020, 5:41pm

Full (Strict) is best. Full (not strict) is pretty good, so it’s definitely a good idea to use one of the Full modes. Web servers should have TLS/SSL certificates on them.

OliverGrant · April 25, 2020, 7:03pm

@mapplebaum

Office 365 records should not be proxied, so The settings you use for won’t apply to those hosts.

— OG

system · May 25, 2020, 5:29pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Error 525, 526 for CNAME using full(strict) mode Security	6	1869	June 12, 2022
Different SSL/TLS modes for different CNAME records Security	4	2260	March 12, 2020
CNAME SSL Problems DNS & Network	3	3143	April 7, 2021
Azure, NO SSL Certificate, Enabled Full (Strict), Not Getting 526 Errors? Security dns , dash-ssl-tls , dash-getting-started	4	2291	December 17, 2018
My site shows "ERR_TOO_MANY_REDIRECTS" when SSL/TLS encryption mode is "Flexible" Security	8	1674	July 17, 2022

Any reason to not use Full Encryption Mode?

Related topics