Bypass "Require Modern TLS" for just one subdomain


#1

If a domain uses Cloudflare but one specific subdomain of that domain is configured to bypass (not go through) Cloudflare, does that mean that subdomain is also freed from the “Require TLS” setting that the rest of the domain has?

Thanks!


#2

Yes it would be. Requiring modern TLS forced Cloudflare to not offer to downgrade the TLS session, but a server off Cloudflare would not be bound by that.


#3

cscharff, thank you for the quick response!

It wasn’t clear to me whether or not the “Require Modern TLS” enforcement occurred first, before Cloudflare even looked at the subdomain. You answer is great news!


#4

A related question that in retrospect I should have asked first: can one disable/bypass the “Require Modern TLS” setting for selected URLs within an otherwise-protected domain?

(We have a legacy PC app that must communicate with a specific URL within our protected site, but the old app doesn’t support modern TLS. I was thinking of setting up a redirected subdomain for it to use, as in my original question. But it would be even better if we could just have Cloudflare bypass that setting for only an individual URL within the protected domain.)


#5

The setting in Cloudflare is a global one (as you suspected). We are looking at allowing you to specify/act on a TLS version with Cloudflare workers. More news on that front soon.


#6

Thank you!

I tried it and discovered just one “gotcha”: the subdomain that we want to avoid the “Require…” setting for has no SSL certificate of its own so our people are blocked by their browsers. Apparently the one we have through Cloudflare covers any subdomain under our main domain.

It would be great if we could retain all the benefits of Cloudflare for that one subdomain except the “Require…” setting. Is there a way to do that?

Thank you again,

-Roy.


#7

We may have a way with custom code using Workers soon, but not today.


#8

That would be so useful to us. Any chance of that feature becoming available in the next 3 months?

Thanks!

-Roy.


#9

I would think there is a reasonable chance… but I’m an optimist. :smiley:


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.