SSL - not secure traffic

Is there a way to track any non-HTTPS traffic in Cloudflare ?

I always see some requests under TLS stats - 24 hours saying - not secure. I dont understand why and how it would allow someone to access it over HTTP when auto redirect on HTTPS is ON under cloudflare. I like to start simulating all HTTP traffic. Is it possible to do under firewall ?

A request originally made under http and redirected is counted as an insecure request. The subsequent request by the browser for the secure version of the URL would be counted as a secure request.

Thank you for clarification. Got that now. So first call always gets considered as http during redirect and then all subsequent calls are made secured.

Let`s say I have got a web-server (origin) which allows http both https calls within data center. Cloudflare is set as proxy for one of the website deployed on that origin. Auto redirect HTTPs is also enabled. When cloudflare is set as proxy, it ensures origin IP is not revealed publicly. But if person gets the IP of origin, will it allow to make HTTP call to origin server ?

Since Cloudflare wouldn’t be in the mix if a user went to the site direct to the origin IP it has no ability to impact/effect the behavior of a request. Our recommendation generally is that customers restrict access to Cloudflare IPs https://support.cloudflare.com/hc/en-us/articles/201897700-Whitelisting-Cloudflare-IP-addresses. There are other more advanced methods that one can use to reject requests which don’t come through Cloudflare (such as generation of an application token on Cloudflare to pass to the origin to validate requests) as well.

1 Like

Thanks restricting origin IPs to cloudflare only makes sense.

This topic was automatically closed after 30 days. New replies are no longer allowed.