SSL/TLS Encryption and non-proxied records

Our company hosts sites for a few clients, and we are easing our way into Cloudflare. We have so far only ported DNS records over to Cloudflare and changed our name servers at register,com. We have intentionally set all records to DNS only while we figure out our next steps to test our some features.

I noticed the SSL/TLS section recommends setting encryption to full (it is) but does this setting affect records that are not proxied? Our origin server/site already has a valid Digicert certificate. What settings affect records that are not proxied?

Full is not to be recommended, it opens you up to man -in-the-middle attacks. The only secure setting is Full (strict).

No.

Pretty much none?

Closest you’ll get is the DNS load balancer, but even then it’s just logic to return different IPs and that’s all.

When your record is unproxied, Cloudflare returns the origin IP address in the DNS result. Anything that happens after that is a direct connection between the client and the origin server, Cloudflare is not involved at all in that process and cannot make any changes or apply any settings.

3 Likes

Thank you, you confirmed my suspicions. We are having some issues with one of our sites, the client is getting a lot of err_connection_reset errors accessing it since last weekend, and fingers are being pointed at Cloudflare, even though all records are set to DNS only and we moved our records to Cloudflare over 2 weeks ago. Glad to see the issue is not CF.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.