'Flexible' SSL is 30% faster then 'Full' mode according to my tests. Should I change?

Hi,

In 2020, I started with my ‘Pro Plan’ at CloudFlare to protect my web project against DDos attacks. My web project already included HTTPS, I started with CloudFlare in a rushed manner to protect the website against a DDoS attack, and I configured the SSL/TLS encryption in Full mode without further analysis.

Starting the same day I turn on CloudFlare protection, the TTFB of my website rocketed. And now I’d like to reduce it.

I’ve done some tests with some dummy domains, and I’ve seen that the ‘Wait’ time calculated by Pingdom changes (I performed the test five times per scenario):

  • 211 ms with ‘Full’ mode (SSL in Cloudflare + SSL in the origin server)
  • 147 ms with ‘Flexible’ mode (SSL in Cloudflare, no certificate in the origin server)

It’s a 30% reduction of the TTFB with the dummy domains. And the website I want to optimize has currently an average TTFB of 270ms. It should be lower than 200ms, and this change from ‘Full’ to ‘Flexible’ may reduce it up to 190ms.

My website does not store any kind of users’ information: personal or otherwise. It shows just public data, and there is no form to fill.

I would like your opinions and experiences with this issue. Should I change from ‘Full’ to ‘Flexible’?

Thank you very much in advance.

I’d avoid that at all costs.

  1. You’re only looking at TTFB, not overall load time. So that 30% faster is misleading.
  2. It sounds like your server’s SSL is the bottleneck. More testing should isolate the slowdown.
  3. If you’re not concerned about a secure connection, just leave SSL mode “Off”.
2 Likes

Thank you very much, @sdayman, for your kind answer.

You’re only looking at TTFB, not overall load time. So that 30% faster is misleading.

It’s the parameter which I saw rocketing after starting to use CloudFlare. Of course, I’m trying to improve other parameters affecting the load time.

It sounds like your server’s SSL is the bottleneck. More testing should isolate the slowdown.

Yes, you’re right, but currently I’d like to remove my origin server’s SSL to remove part of the problem. Which type of tests could I perform in the origin server? Recently I changed the operating system’s version to support TLS v1.3, and I noticed a decrease of the TTFB.

If you’re not concerned about a secure connection, just leave SSL mode ‘Off’.

Completely agree. But Google ranks better HTTPS websites.

There are gobs of posts here about improving TTFB that include various solutions.

Still not advised. My rule of thumb is that one should not use Cloudflare to fix a server problem. That’s just a band-aid approach.

And for good reason. Security. But Flexible SSL isn’t secure. That’s like thinking your town is secure because you see police cars throughout the city. Until you realize there are no police officers with those cars.

Thank you, @sdayman, for your nice answer

There are gobs of posts here about improving TTFB that include various solutions.

I’m trying to read them carefully. Indeed they are different approaches than mine.

My rule of thumb is that one should not use Cloudflare to fix a server problem. That’s just a band-aid approach.

If I remove the Cloudflare proxy and leave DNS only, the TTFB drops from 211 ms of ‘Full’ mode (SSL in Cloudflare + SSL in the origin server) to 89 ms (only SSL in the origin server). I’m not entirely sure that the problem is only in the origin server’s SSL configuration. I’m trying to find tests I could perform in the origin server.

Flexible SSL isn’t secure.

I’m trying to find the origin of this problem with my configuration of ‘Full’ mode to avoid to set the ‘Flexible’ mode.

1 Like

If it’s easily reproducible, open a ticket and post the number here. Someone from support should at least be able to confirm that Cloudflare is adding >100ms to TTFB. Make sure to include the data center you’re seeing this through, and where your server is located. Data Center is in the CF-Ray header and ends with the airport code nearest the data center.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.