Sometimes proxied record is not proxied

We have an issue on some records:
They are configured as proxied, so clients usually see the “edge” certificate managed by cloudflare,
but sometimes the dns points to the origin server where the certificate is not valid ( expired ), and so the clients have an SSL error when they go to the site.
Is it possible to guarantee that a proxied record is 100%, always proxied , if configured so ?

We had the problem an 2 different domains since the 18th of March, the origin server was “cloudflare partner” specialized in ad management.

That’s the first thing you should fix. Without a valid certificate on your server you can’t have a secure connection.

Really ? I thought the whole idea of the cloudflare proxy mode was to manage exactly this kind of situation.
We are in “strict mode” so a valid certificated is not required according to documentation.

Strict mode: “Encrypts end-to-end, using a self signed certificate on the server”

No, how should that work?

If you don’t have a valid certificate that connection can’t be validated and won’t be secure.

You should first fix the server certificate and make sure you always renew it.

So you mean the “Flexible” and “Full” mode do not work ?
Only the “Full (strict)” is acceptable for proxy mode ?

Yes, only Full strict is properly secure. Everything else is either unencrypted or broken encryption. The search will have more on that.

My question is:
is it normal that a record configured as “proxied” , sometimes, is not proxied ?

I understood that but the first issue to be fixed really is the certificate.

Ok the certificate is valid on the origin now.
But if I understand well, this means I can not block traffic from other sources than cloudflare when using proxy mode ? There is always a possibility that cloudflare will temporarily “leak” traffic .
This is an issue because this means WAF will not work during these periods. What can I do to prevent this leakage ? Is it related to the Free/Pro/Business/Enterprise status ?

Good, fixing the certificate was important, also make sure it is “Full strict” now as everything else won’t validate the certificate.

As for the proxying part, if a record is proxied it will always be proxied, Cloudflare won’t suddenly unproxy it, unless you pause Cloudflare, or it is not proxied to begin with.

Which hostname is it and is it reproducible? Could it be some DNS issue on your end?

No, the dns is cloudflare, the record was in “proxy mode”, and sometimes we had the origin ssl certificate exposed to browsers. So I do not know if it was a dns issue or if cloudflare made some kind of tunnelling instead of proxyfying, but it was completely unexpected to have the origin certificate exposed.

That is very unlikely to be a Cloudflare issue and I would assume that will be something DNS related on your end.

I would recommend to double check everything and if you can really rule out any issues you should contact support. Alternatively you can also check out the audit log if anything might temporarily unproxy your records, though I wouldn’t assume this to be the case.

How could it be a “dns issue on our end” ? The nameservers are cloudflare’s.

Your resolver. Something else in your DNS configuration. Impossible to say without details, but that’s not likely to be Cloudflare related.

The issue began the 18th, and there is no action in the audit log between the 17th and the 21st.
The origin with the problem is cloudflare’s certified partner ezoic.
We had the problem yesterday again with an other domain, and once again, ezoic’s certificate was exposed.
For the “resolver” issue, it was not an issue on a single client. The issue was general, people from home, with different ISPs were impacted by the problem.

Are you on a partner setup?

If nothing is in the audit log, nothing should have unproxied it. If you are on a partner setup the issue might be with your host.

Again, this is unlikely to be Cloudflare related but you can certainly open a support ticket to clarify it.

Yes, the 18th, 19th we were on a partner setup, and yesterday it was with our own account ( different domain ). Since you confirm this is not a normal behavior I will eventually open a case. Thank you for your support.

Something being unproxied definitely is not supposed to happen, but I don’t know of a single case where that actually happened, that’s why I’d rather rule out Cloudflare.

So yes, opening a support ticket will be the best course of action here.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.