Flexible SSL Issue

In my hosting I don’t have a SSL certificate, but they installed one so that if you access via HTTPS it redirects to a page offering to buy it.

Apparently CloudFlare’s flexible mode attempts a connection via SSL to the host and if the response is successful, it maintains the connection via SSL even if it is a trap and leads to an incorrect page.

Isn’t there a way that CloudFlare’s flexible mode doesn’t attempt an HTTPS connection to the original host? Only unencrypted connection.

Thanks.

Interesting. I’ve never observed that behaviour, but I’m not sure that I have explicitly configured it. Just to make sure, clear the cache to make sure it isn’t just a cached page?

Yes, cleaned cache and flush DNS.

The problem is that my site has configured that if accessed by HTTPS it will be redirected to the web to buy it. It’s not something I can configure since it’s a free hosting.

but this way, I can’t use CloudFlare’s flexible mode since this mode tries an HTTPS connection and is successful but fake.

It looks like an Anti Cloudflare SSL…

Flexible is designed to get TLS encryption where an Installation of a certificate is not possible. Therefore each request is redirected to HTTP.
What’s the domain and who’s your webhost?

I’m not able to reproduce a problem here. I changed one of my domains to flexible and put together a quick script to test.

When I connect via HTTP I see HTTP_X_FORWARDED_PROTO: http, and the web server correctly reports only http. When I connect via HTTPS, I see HTTP_X_FORWARDED_PROTO: https, and the web server still reports only http.

To confirm my test was good I then returned to Full (strict), now the web server’s http/https status matches the HTTP_X_FORWARDED_PROTO header.

In other words, in flexible mode Cloudflare is taking a https request and querying the server with http, despite the server being willing to answer https with a valid certificate.

Perhaps the host is looking at the Cloudflare-added header and returning a different result to stop users from doing this exact thing?

1 Like

I am using now https://www.freehosting.com/

Now i enabled Flexible SSL and when i access via HTTPS and appears that

image

Cloudflare try a HTTPS connection in Felxible Mode, almost now.

It can’t be that the hosting detects CloudFlare to redirect to the page because if it only made a connection via HTTP, it wouldn’t go out.

If I disable the SSL mode and set it to OFF, the page is correctly accessible through CloudFlare, plus it’s precisely the web that redirects when trying to access it via HTTPS from the outside without CloudFlare.

Perhaps if Flexible mode is enabled, CloudFlare connects to the host in a different way and the host uses HTTPS by default, which is the problem.

@aeri, the situation is pretty straightforward. Get a certificate on your server, thats a matter of minutes. If your host charges for that, either simply pay for the service or change to a host who does not charge for it.

The entire Flexible discussion is somewhat tiring and there shouldnt be a need for it in the first place. Flexible is insecure and deceiving your very own visitors.

I’m not arguing about whether it’s safe or not, all I’m saying is that the flex mode tries to make the connection over HTTPS.

I’m not paying $23 for an SSL certificate, so I can use CloudFlare as an additional layer of security, and I don’t see the need to change hosts either.

Obviously there is need if you want SSL but dont want to pay for the service. There are plenty of hosts who will provide LE certificates for free for example. Even Cloudflare’s origin certificates are an option.

The “safe” part definitely is an important factor too, as your site simply is not safe in this case, even though you would like your visitors to believe it.

It really is simple.

I understand the security implications, however with a CloudFlare certificate, a man in the middle can be avoided on the user side, obviously CloudFlare will connect insecurely, but it can be considered a more reliable route.

It’s also not to argue that I want SSL and don’t want to pay for it, if I want to pay for the CloudFlare Enterprise plan where an SSL certificate is available I won’t be able to use it either.

This is leading to whether or not you need to pay, the main problem is to discuss how CloudFlare is performing with the flexible mode.

I would not call that more reliable. Your average Joe in an Internet cafe wont be able to intercept your connections, but everyone after Cloudflare (e.g. in the DC) still will be able.

There is little grey area in security. Either it is secure or it is not. If you go via HTTP, it is not secure by definition.

Not sure where the Enterprise plan came in from, as that really is not required for any SSL service whatsoever.

If you want SSL and your host only offers a paid option, for which you do not want to pay however, the only conclusion could be to change host.

As for whether Flexible works or not, thats something for support to clarify, however we really shouldnt need that discussion in the first place :slight_smile:

I don’t know why you divert attention from the topic to whether I have to pay for the service or not, if you read the beginning of the topic, I have only consulted the operation and if there were any rules or adjustments to avoid this behavior.

I prefer to discuss with users what experience they’re having with the help of users such as @thedaveCA and @MarkMeyer

not just telling me to change the hosting, that doesn’t help me at all…

I am not diverting attention. I told you to contact support in this case.

What I did point out is that your setup is insecure in any case.

This is a public forum :wink:

Actually it does. You want a secure site, right? That requires a certificate on your origin. Your host provides that but you do not want to pay for it, right? In that case changing to a host who offers that service for free would be a reasonable course of action, wouldnt it be?

1 Like

I don’t necessarily need de facto security as it doesn’t support any critical websites, I just want to make use of the Universal SSL functionality that Cloudflare provides for free and allows an additional layer of security to be applied all the way up to CDNs, which I think is quite important.

Thanks anyway :slight_smile:

Then simply turn it off altogether. As evident from this case any encryption definitely adds one more layer of complexity, which needs maintenance and is harder to debug.

SSL really is not a big deal these days and most reasonable providers offer it out of the box.

It seems you just want to avoid my problem, it doesn’t have to be a direct security reason, if I want to make use of the encrypted SNI functionality so that the routers or ISPs can’t trace the access to my domain…

Things are not solved by disabling or avoiding them, only sharing the experiences and ideas of other users can make a good community.

We are really mixing a lot here now. ESNI is not solely dependent on SSL. In order to properly utilise that you need the full stack, which includes the right browser and encrypted DNS. If that is not given, ESNI wont even be used.

But back to SSL, I am not “avoiding your problem” I am pointing out the flaws in your approach and suggested reasonable alternatives.

No offence, but to me it seems you want your site to run in the cheapest possible way (no paid hosting, no paid certificate, no paid anything), accepting the fact that your site is not securly transferred because of that but at the same time make your visitors believe they are on a secure site.

Is that an accurate summary? If so, I do rest my case and there is nothing more to say from my side. As I already said, if you have an issue with your configuration you will need to contact support in this case.

To get this back to topic. Since you didn’t tell us the domain some guesswork:

It seems to me that you cannot use “custom” nameservers. When i try to create a free account:


I don’t know what’s possible within the admin panel but it looks like your’re forced to use their nameservers in first place.

Thanks for your involvement, that appears in the first place but when you specify the domain, the account is created and then it already allows you to point the nameservers to the host, this way you can link directly and use it as a unique host and dns server.

It takes a few seconds until the final panel of the hosting appears where you can configure the basic functionality of the hosting.