Does CloudFlare proxy servers decrypt my data?

Hey CloudFlare Community.

I have put up my webpage on CloudFlare for protection. Does the end-to-end SSL (strict) ensure that my data does not get decrypted before it reach the origin server? (Not even by CloudFlare).
I want to set up a site where the traffic won’t be comprimised.

Also, if strict aint the solution, how can it be achieved using CloudFlare?

All help is appreciated!

Cloudflare, as a proxy, decrypts your traffic internally to do what Cloudflare does, and then re-encrypts it for your visitors.

Thanks for the response.

I assumed as much, but was hoping there was an option to disable this function so that the decryption only was on my origin server. Why do CloudFlare need the data decrypted? Could they just do the scrubbing on the encrypted data (thats how DDoS protection work right?:thinking:)

The only way to “disable” this on Cloudflare is to sign up for an Enterprise plan and use Spectrum to tunnel plain TCP packets. In this case each request will be forwarded as-is to your origin.

Everything else (even with “Full strict” on, which actually is a good choice and the only way to properly secure the connection, apart from the decryption on the proxies) will have the request decrypted on the proxy side and then re-encrypted before it is sent on to your origin. Without that, most of Cloudflare’s features would not be possible.

4 Likes

Alright. Guess the wording of decryption just got me thinking of unsafe. And maybe im a bit paranoid too. Seems like keeping the strict SSL on is the right choice for me and entrusting that the data is not being kept in CloudFlares databases. Thanks alot for the clearification sandro.

It depends what you define as unsafe. If you use Cloudflare you basically need to trust them with your data and you need to be aware that everything your users submit will be in plain text on Cloudflare’s systems, even if just briefly. I assume Cloudflare will safeguard this but there certainly still is an associated risk.

Strict SSL only means CF verifies the SSL certificate of your origin server when it does its CF<–>origin connection, it still does the encryption and decryption in order to provide all of the features Cloudflare offers.

If you want to prevent CF’s servers from receiving the data, you’ll need to turn off the orange cloud :orange: for your DNS records in the DNS tab. This will disable all DDOS protection and other features aside from DDOS protection on CF’s own DNS resolver.

1 Like

I definately want to keep the protection that Cloud Flare provides. I hope the have no interest in using the traffic for anything else than whatever is needed to keep the webpage secure.