General question about TLS configuration

I have 2 zones in Cloudflare. has a CNAME to and both proxies buttons on their records are on.

The TLS configuration on is set to FULL however the TLS configuration on is set to Felixble.

I’d like to know which one will be applied eventually when customer make request to

Thank you

1 Like

Actually my question is not about the TLS options. I know how Full and other options work. My question is about their behaviour when there are 2 zones involved. First domain has a CNAME to second domain and both domains have their own TLS setup. which one will be applied eventually? the settings in first zone or the settings in second zone?

Is the CNAME :orange: or :grey:?

Orange one (proxy is on in both zones on both domains)

Then no CNAME is published. A and AAAA records of the Cloudflare proxy are published instead. Visitors will arrive at the Cloudflare proxy and their HTTPS request will presumably be sent as an HTTP request to the canonical hostname. Since the canonical hostname is also proxied, this is very likely to result in an infinite loop due to the host header containing the alias hostname defined in the CNAME.

Have you already tried this? If so, what were the results you observed?

It may be more effective for you to describe your desired outcome instead of focusing on the minutiae of what you think may be the way to reach that outcome.

It sounds like you may be trying to configure something that is only going to work with Cloudflare for SaaS.

Thank you for your response. Allow me to provide further clarification on our objectives.

Currently, our SaaS platform operates akin to a website builder. Our customers possess their own domain names. To serve them effectively, we instruct them to establish a CNAME record with their DNS provider, directing to Additionally, we advise them to disable the proxy feature on Cloudflare if they are utilizing it. Meanwhile, operates with proxy turned off (DNS only), with all TLS functions managed by our servers.

Now, we’ve made the decision to activate Cloudflare’s proxy feature to leverage functionalities such as rate limiting. Consequently, we aim to implement TLS for our customers on Cloudflare’s end as well. Some clients have expressed interest in enabling Cloudflare’s proxy on their domains to benefit from features like WAF.

Given our use of custom hostnames with the fallback Origin having the proxy enabled, Cloudflare can manage SSL certifications for these custom hostnames. We also have TLS Full strict option on.

Now the question is, what happens if our customers who have Cloudflare as their DNS provider, put their proxy on and have TLS option Off or Flexible?

Thank you for the more complete explanation. It definitely makes it easier to help answer quesrions.

I would recommended that you aggressively advocate against the use of any Cloudflare encryption mode settings other than Full (strict) as other options will inevitably prove problematic.

The hostname priority section (directly linked) of this guide should help explain what takes priority.

Let us know if you think anything is missing from it, or have more questions.


In addition to that, the setup you describe is called “Orange to Orange” on Cloudflare.

Normally, only the provider’s settings will apply, that means yours.

If you customers want to manage their Cloudflare settings in addition to yours, that requires an Enterprise agreement, at least from what I understand.


Thank you Laudian. This answered my question completely.
So my settings are applied unless our customer go with Enterprise plan and setup O2O.

Thanks a lot

Thank you, The link you shared with the examples there answered my question completely.

Just have a question about this sentence in the link you shared:

If Customer1 wants to regain control of their zone, Customer1 contacts Customer2 and requests them to delete the custom hostname record. Another possibility is to stop proxying (gray-cloud) the record.

If they stop the proxy (gray-cloud) they just use DNS on cloudflare, so we still will receive the traffic on our zone and our config will be applied again. correct?

Good. I am glad to hear that it was useful.

The problem referenced in that passage was addressing SaaS hosts that were slow to remove churned hostnames from their account. After users updated their still :orange: records expecting to see their new site, they would instead see an error page from their previous SaaS provider who had removed the site from their hosting platform, but not their Cloudflare account.

Once the record is set to :grey: DNS Only, the traffic no longer passes through the Cloudflare proxy, so no Cloudflare proxy settings from the customer’s Cloudflare account could apply.

To your specific question: as long as that customer’s hostname was pointed at your canonical name and you still had their custom hostname active in your Cloudflare account, it would continue to serve their content from your platform.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.