Cloudflare Dedicated SSL - 502 Error - Solution = SSL Flexible?

ssl

#1

Hello,

I’m facing 521 and 502 error on my website after I added CF dedicated SSL. Tried to whitelist CF IP on both GCP firewall and NGINX, but still no result. Then I use set the SSL type from “full” to “flexible”, then suddenly everything works fine. I removed CF IP that I whitelisted earlier on GCP firewall and NGINX, and the website still working fine. What does SSL ‘flexible’ mean? Does 'flexible" means less security?

Would appreciate any input.

Thank you.


#2

To make use of Full or Full (Strict) you need to install a certificate on your server and open at least port 443 or tell your webserver to listen on it.

Basically

Flexible encrypts traffic between your visitors and CloudFlare but not between CloudFlare and your server. Traffic on port 443 here is redirected to port 80 on your server. That’s why it works on “Flexible”.


#3

@MarkMeyer Thanks for the explanation. How do I install certificate on my server using CF dedicated SSL? I didn’t get certficate when I purchased it. I used CF free SSL in the past and I do get the certificate on that one.


#4

Depends on how you manage your server.

Most control panels either create a self signed certificate when you enable SSL or guide you through the process to create a self signed. At least Plesk supports Let’s Encrypt including automated renewal.

If you have command line access only you can create a self signed there and change your Apache, nginx or what ever configuration accordingly.

Once you’ve installed ityou can use “Full”. But I highly recommend to get a signed certificate to use Full (Strict). Let’s Encrypt certs are free and trusted.

But it’s also possible that SSL is simply not active in your webserver configuration. You can easily check it by accessing your server via HTTPS://ip.add.re.ss:443

If you get a timeout or connection refused, check your webserver and firewall config.


#5

@MarkMeyer You mean I have to get another SSL certificate so I can add it on my server (to get ‘full’) on top of Cloudflare dedicated SSL?


#6

Exactly. That’s the only way to to tskr advantage of ‘end to end’ encryption an to reduce the possibility that someone can sniff the traffic between CloudFlare and your server.


#7

@MarkMeyer Thank you so much. I added CF Origin certificate and everything works fine now with “full (strict)” settings.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.