So as the title suggests, attempting to access my subdomains after disabling the CF proxy results in connection refused errors as well as Error code: SSL_ERROR_NO_CYPHER_OVERLAP while the sites work fine with CF proxy enabled. Weirdly enough, when searching through the forum I noticed that the issue in reverse was most common- enabling CF proxy would result in an inaccessible website, hence why I am posting.
The following settings are currently configured on CF:
SSL/TLS: Full
Always use HTTPS: Off (used to be on)
HSTS: Disabled (used to be enabled, 3months, currently 2months in)
Thatâs odd. The first thing Iâd guess is that your server blocks all traffic from non-Cloudflare IP addresses. That would be a pretty obvious reason why connections fail without Cloudflare.
Could that by any chance be related to my letsencrypt config using cloudflare dns validation? I imagine thats the DNS only proxy status in CF though�
ssllabs came up with no grand issues. Only thing notable is that HSTS appears to be enabled even though I disabled it (I imagine because the max-age hasnât passed yet) and there seems to be no DNS CAA. Unsure if these are relevant.
Will wait for a month till HSTS max-age has passed to give it another try and ask at serverfault if the same issue resurfaces.
HSTS max-age generally doesnât matter outside of the usual browser experience. Itâs like a one-month cookie to remember to use HTTPS. Switch browsers or devices, and you get a fresh start. Clearing that âcookieâ in a browser is more difficult, though. Something like the Qualys test shouldnât remember that HSTS setting.
CAA records and HSTS do not influence each other at all.