Why doesn't Flexible SSL mode check origin for certificate first?

pitawat · March 11, 2021, 2:40pm

I have seen that there is a tutorial here saying that Flexible SSL Mode shouldn’t be used because the connection from CF to origin server isn’t secured.

I then thought: why doesn’t the Flexible mode check the origin first if the secure connection could be made through port 443, then fallback to port 80 if the origin doesn’t respond? Because there are times that we have multiple subdomains and not all of them can be connected with https enabled for whatever reason, thus we need to set SSL mode to Flexible.

I know we can use Page Rules to force Full SSL mode for particular URLs but wouldn’t it be safer overall and easier that Cloudflare just check the origin first?

Also, the term “Flexible” is a bit misleading in my opinion. At first I think it means that connection from Cloudflare to origin can be made via both port 80 and 443 whichever is available but it turns out that there will be no secure connection to origin at all. Please correct me if I’m wrong.

Thanks.

sandro · March 11, 2021, 2:46pm

Flexible is intentionally designed to break encryption and leave the illusion of a secure site, when it actually is not.

As the article explains, Flexible is a bad choice and makes you lie to your visitors. There have been numerous discussions with Cloudflare on that topic but so far there was little indication that they would go to fix and secure that.

You are right. If you choose that mode the origin connection will always be insecure. “Full strict” will be doing what you asked and will keep the connection on the original protocol used by the client.

jnperamo · March 11, 2021, 2:57pm

Main reason is that Flexible mode is a very poor choice and secondly, your solution might double the amount of I/O operation just to establish a connection.

cscharff · March 15, 2021, 9:13am

Because there are many scenarios (all of them generally bad) where a webserver may serve different content on the same IP for HTTP vs. HTTPs. This is especially true in shared hosting environments. Being non-deterministic generally leads to more problems.

SSL mode can be controlled using page rules.

Agreed, I suggested “Horrible” as the mode option but was voted down. In general I advocate against using flexible in general outside of perhaps Argo Tunnels, certainly in any instance where there’s something more than a brochureware style site.

sandro · March 11, 2021, 7:16pm

system · March 15, 2021, 9:14am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.