"SSL/TLS encryption mode" will affect whether the return-to-origin request contains SNI

Theoretically, setting “SSL/TLS encryption mode” to “Flexible” or “Full” will not affect port 2096 using TLS to access the original site. But I found that when switching settings, the ssl_sni of the return-to-origin request was different.

As shown below. Here we set it to “Full” mode and capture port 2096 packets on the original site:

Then switch to “Flexible” mode:

理论上,“SSL/TLS encryption mode”被设置为“Flexible”或“Full”不会影响2096端口使用tls访问原站。但是我发现切换设置时,回源请求的ssl_sni不一样。

如下图所示。这里我们设置为“Full”模式,在原站上捕获2096端口数据包:

然后切换为“Flexible”模式:

One more reason not to ever use Flexible. Both Flexible and Full are insecure legacy modes and should never be used