Cloudflare Flexible SSL

Are there issues with having Flexible SSL option enabled in Cloudflare when the edge server does have a valid SSL (as per cPanel AutoSSL)? Or will there be issues trying to send http traffic from Cloudflare to edge when https is expected?

Or is it best to have it on Full?

Sometimes AutoSSL fails to auto-renew. To get it to work on our host, I had to turn off Cloudflare for a bit, then it ran successfully, as it was checking for some edge DNS TXT values or something.

So I thought I just leave things as Flexible in case AutoSSL failed.

Originally I thought Flexible mode would try https first, then fall back to http if there was an SSL error or no SSL found on the edge.

I’ve recently been having an issue with my setup, regardless of using Full or Flexible, or whether Edge had an SSL or not. It’s to do with intermittent down-times throughout the day preventing access to our website for 10-20 minutes at a time.

I reset Cloudflare so it could obtain the latest DNS from edge, but the DNS A name for www was still the same IP. Trying to work out if my host provider knows of any issue, but they keep blaming Cloudflare, and Cloudflare alerts me automatically to check with my host provider.

We are not using HSTS, and we use Cloudflare page rules to redirect to https://www

Just trying to determine what it could be. I don’t want to end up having to move away from Cloudflare, as it has nifty features and stats, and protection.

Not sure if my website caches well with Cloudflare as it consists of 1 .php file, which I use query strings to determine which page to display (thus which include file to dynamic process). My site is image gallery heavy (with many JPG files). I’m assuming Cloudflare cache’s those, but not sure if can cache dynamic pages?
I wonder if when Cloudflare refreshes it caches, could that be causing outages?

I did ask our host for any known issues with Cloudflare, but not much help.

Thanks all. Sorry to include a few inter-related things in this post.

There are. You basically just front your site with encryption, but behind the scenes everything is still insecure and unencrypted.

Full is definitely better, as it prevents passive listening, however only “Full strict” is really secure.

You might want to take a look at Cloudflare’s Origin certificates. They also need renewing, however their validity can be longer than three months.

I understand the security side of things, but I’m trying to ascertain what (if any) negative impact there is for the different types of configuration, which may affect access to the website. as I’m getting intermittent time-outs throughout the day, even with SSL on both set on Full, but also previously on Flexible (with or without an Edge SSL).

I also set Cloudflare to work even when the edge is down, using it’s cache, however I may not be applicable perhaps, as my site is a single .php page that loads .inc files based on the page id specified in the query string. I’m sure that it may have worked better if was using static html, but don’t have the time to re-work the site.

I could go back to no Cloudflare, but I got annoyed when AutoSSL failed once, and we went for a few days being down as I was redirecting to https.

Trying to work out if it’s my edge host not playing well with Cloudflare, in terms of DNS or any intermittent Cloudflare blocking etc., but not getting any clear response from them.

I use site24x7 (and uptimerobot) to monitor uptime, and the outages are usually positive, and not false positives due to geo-fencing which we don’t have anyway.

One thing I don’t like with Cloudflare is that it doesn’t allow auto-refreshing the original edge DNS, as it only synchronises once upon creation.
A couple of times I had to recreate the site on Cloudflare, and that helped, as it found minor differences with the DNS.
Also once our host changed IP address, so I simply modified that value in Cloudflare’s DNS.
The communication from our host wasn’t clear, and also I wasn’t sure then whether I had to make a change, or Cloudflare would work it out, or whether our host would keep the old IP working and some how redirect to the new one to prevent sites from breaking.

Our host mention they can’t help much if our DNS is being managed by Cloudflare, and any IP changes cannot be automatically applied for us…
I haven’t had this issue with GoDaddy though (yet). I think it’s because the other host is transitioning to a new parent company or something, and migrating hosting servers etc.

I did notice the Cloudflare self-signed certificate, but I’m not that good with that stuff. I really want the ease of use of Cloudflare.

Also not too fussed about https between CF and edge, as I’m mainly trying to satisfy the browsers by having https and a valid SSL certificate, which is reliable and auto-renews… And Free!

Thanks

There are no “configuration impacts” on either setting. In all cases Cloudflare will simply connect to your server and send the request, thats it. Of course your server needs to respond, if it doesnt the site won load but that wont be a Cloudflare issue at that point.

Flexible is not secure and should not be chosen. So in simple words, pick “Full strict” and make sure your own server is properly configured for SSL. In that case you are good to go. If you still have timeouts that is something you need to investigate on your server. The search here on the forum will provide you with more details, as well as the #Tutorials section.

This topic was automatically closed after 30 days. New replies are no longer allowed.