Does cloudflare worker allow secure https connection to fetch even on Flexible SSL?


#1

So I’m trying to revamp our setup by serving mostly our static files on a cloud storage bucket instead of an origin server.

You could store an s3 bucket without provisioning a certificate in cloudfront via flexible ssl. I was wondering, does cloudflare worker use secure http connection insider fetch if my ssl option is set to Flexible SSL?

I’m wondering if this is an option, because I plan to use cloudflare workers handle sensitive data, basically using it as a proxy.


#2

No, it uses HTTP which is insecure by definition. Flexible should generally be avoided.

You definitely need to choose one of the Fulls in this case, preferably Full Strict.


#3

sorry if I didn’t made that clear, what I meant by ‘secure http’ is https, so if I do a fetch on an https endpoint, would that mean I’m fetching for a secure connection even though my setting is on Flexible SSL?


#4

If you specify an HTTPS FQDN I would expect it to connect in a secure fashion.


#5

Hi @chriz,

No it does not. If your zone’s SSL setting is Flexible, then:

  • Fetches to your own origin(s) will always use HTTP (insecure), regardless of the protocol passed in the URL to fetch().
  • Fetches to origins off of Cloudflare will honor the protocol specified in the fetch() call, but will not validate the origin certificate.
  • Fetches to a different zone on Cloudflare will always cause the target zone to see an inbound HTTP request at the edge. How (or if) that request is forwarded to the target zone’s origin is dependent on the target zone’s settings.

Like @sandro, I recommend using the Full (Strict) SSL setting if at all possible.


#6

Didn’t expect this, why not validate the certificate?

Is this seen as an inbound not secure connection in their analytics?


#7

I didn’t either. I think it’s a bug, but haven’t dug into it yet.

I would expect so, but haven’t verified this.


#8

Oh, that’s why I see some unsecure connections even though I have preloaded the domain and there is a 301 to HTTPS everywhere…


#9

What happens if I just use Full SSL? would fetches inside worker on an https endpoint:

  1. validate certificate if its off cloudflare?
  2. will use https if its on cloudflare network but different zone?

#10

Yes to both – if the zone SSL setting is full, fetch() will respect the protocol in the URL and validate non-CF origins’ certificates.