Hi. I’m new to Cloudflare.
What I noticed is that CF presents a SSL themselves. To encript my server I use Letsencrypt. No wonder actually. After all they add some headrers indicating the original request IP addr.

I just run a test.
I seted an invalid SSL in my web server but it seemed CF did not distrust it

This was my procedure.

I have a valid certificate for my domain.com
I created a new subdmain let’s call it sub domain com
In sub.domain.com i presented the certificate for domain com

If I skip the proxing and navigate to sub domain com on Safari, Safari distrust the certificate.
If CF is proxing the site is delivered normally. No message, no block. Nothing at all.

I’m worried about the idea of some MITM between CF and my actual server (in DO).

Thank you very much for your help.

You brought up a very good point and you are right, there are millions of such insecure sites on Cloudflare.

To make sure your site is secure and validates the certificate you need to use Full Strict. Everything else will allow such man-in-the-middle-attacks. This article has all details on that subject

I just setted to Strict and rerun the test.
Every things works fine and safe now.

Thank you very much for your quick reply.

Regards.

Set the SSL Mode to be “Full Strict”. That ensures that Cloudflare will only talk to an Origin server when the Origin presents a valid certificate.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.