Change SSL from Full to Flexible

Website, Application, Performance Security
1

How to change SSL from Full to Flexible? I created a page rule (SSL: Flexible) with an * following my URL. Is this the way to do it?

2

No, Flexible should not be used at all. Why would you want to change from a secure setup to an insecure, unencrypted one?

3

My host (HostGator) says that given my outdated CMS this will prevent my site from periodically crashing.

4

The CMS typically does not handle SSL but only the webserver and that’s where you need to configure the server certificate. That should be all and your host should be able to assist with the certificate setup, Cloudflare also offers Origin certificates on this context.

1 Like
5

Thank you Sandro for your suggestions. HostGator says, given that Cloudflare is 3rd party, they cannot help me to configure. So I was left trying to figure it out on my own … together with the generous support of the Cloudflare community. SSL seems to be still set to Full, so evidently my attempt did not work. :frowning:

6

That’s a cheap excuse, to be honest. In this case I’d recommend to switch host as yours is apparently not able to provide a properly secure setup.

Anyhow, all you need is a certificate on your server. Check out Cloudflare’s Origin certificates if your host is not willing to help you here.

1 Like
7

Thank you Sandro!

8

Although, I DO have a certificate that is up and running (which they provided). I just need Cloudflare to enable Flexible use of it to keep my site from crashing due to my outdated CMS. Creating a page rule did not seem to work.

9

If you have a certificate you should be good to go. Nothing should crash because of a CMS.

Again, do not use Flexible, that is not only insecure and essentially removes every encryption, it also will break your site even more.

10

Now I’m really intrigued. What’s this outdated CMS that can’t handle HTTPS, which has been around for more than twenty years?

11

It’s SPS, an open source CMS that was available about 10 years ago.

1 Like
12

I removed the page rule since, as you say, it broke my site even further. Maybe time for a new site!!

13

Can you define “break”? What’s the URL?

14

The URL is https://michaelnoyes.com/ and has been working since my last HELP call to Hostgator (last week). It was they who suggested changing the SSL from Full to Flexible to keep the site from going down again due to the outdated CMS. The site seems to be held together with the proverbial duct tape and bailing wire!

15

Your host suggested Flexible? That’s just bad advice I am afraid.

You appear to be on a partner setup where only the “www” record is proxied. Everything else goes straight to your host. Your site appears to work on HTTPS however.

16

You have some mixed content issue. That’s addressed at Community Tip - Fixing mixed content errors and can be easily fixed with the right server settings. Search for “upgrading insecure requests”.

1 Like
17

OK, sandro, I’ll check it out. Thanks! Heading out to do some errands now though. Cheers!

1 Like
18

EDIT: The following comment was flagged as off-topic. It’s not. The OP asked how to change a setting and I explained how to change that setting. You can disagree / warn against it, but it’s an option provided by Cloudflare and requested by the OP.

You can change to flexible simply by clicking that option on the SSL/TLS > Overview section of your Cloudflare dashboard. That sets the site-wide SSL/TLS mode (every request to that domain will use the mode selected here).

You would use a page rule for this instead if you only wanted to change the mode when specific pages are requested (not sure why that would be wanted though). I’ve never tried setting SSL/TLS mode with page rules, but if that option exists then I guess it’s possible.

Sandro knows more about Cloudflare than I do, and it’s true that flexible is less secure, but I’ve used it before (for months at a time) and didn’t notice anything wrong. The mixed content issue can be fixed if that comes up.

19

You won’t notice the connection between Cloudflare and your server is actually not encrypted, which is bad. It’s still possible for attackers to launch man-in-the-middle attacks between Cloudflare and your server.

2 Likes
20

Right. I understand that part of it, but I just don’t think MITM attacks are a real concern for most websites using Cloudflare. And we’re talking about a HostGator website here (no offense to OP :innocent:) so it’s unlikely to be the kind of website that’s worth targeting in this way.

Of course it’s just my opinion. I could be wrong. If you’re in charge of web security for a bank: don’t listen to me.