Every website behind Cloudflare is automatically given a free Cloudflare certificate to help secure your visitor's traffic between the browser and Cloudflare. The connection between Cloudflare and the server is set to use Automatic SSL/TLS by default which will attempt to identify and apply the most secure encryption mode for your website.
This article has a video guide available.
Coming Soon!
Changing your Cloudflare SSL mode
You can set a custom SSL/TLS mode, which is recommended, once you determine how you want to secure your traffic between Cloudflare and the server. We will walk through the steps to change this setting within your Cloudflare account and then go over the available options below.
1. Log in to your Cloudflare account.
2. If you have more than one domain in your Cloudflare account, select the domain you wish to make setting changes.
3. In the navigation, expand the option for "SSL/TLS" and then click "Overview."
4. It should display your current SSL mode. Click the "Configure" button to change this setting.
5. Select your newly desired option, then click "Save."
More information on each of the options listed is provided below:
Off (no encryption)
When Cloudflare's SSL/TLS setting is set to Off (no encryption), your website will only be accessible via HTTP. This means that all data transmitted between your visitors, Cloudflare, and your server will be sent in plaintext, without encryption. Using this setting is not advisable for websites that handle sensitive information, such as user data or e-commerce transactions. Instead, you should choose one of the available SSL/TLS modes that ensure the encryption of traffic between your visitors and your server.
In the example image below, you see the connection between the visitor and Cloudflare is not secure.
Flexible mode
When Cloudflare is set to "Flexible" mode, the connection between the visitor and Cloudflare is secure (HTTPS), but the connection between Cloudflare and the origin server is insecure (HTTP). While the visitor's browser shows a secure connection with SSL, this still opens up the website to Man-in-the-Middle (MITM) attacks. Instead, it is recommended that you use the Strict mode which will secure your connection through the entire process.
In the example image below, you see the connection between the visitor and Cloudflare is secure while the connection between Cloudflare and the origin server is not secure.
Important: If you set your website to use Flexible SSL and have a redirect in place for HTTP to HTTPS, you will need to disable the redirect, otherwise you will experience a redirect loop since Cloudflare will only attempt to connect to the server via HTTP.
Full mode
When Cloudflare is set to "Full" mode, end-to-end encryption is enabled, which means both the connection between browser and Cloudflare, and the connection between Cloudflare and the origin server is secured via an SSL encryption. Use this option if the SSL on the origin server is not trusted by most CA authorities, otherwise use the Full (Strict) mode.
In the example image below, you see the connection between the visitor and Cloudflare is secure, as well as the connection between Cloudflare and the origin server.
Full mode (Strict)
When Cloudflare is set to "Full (Strict)" mode, end-to-end encryption is enabled, just like with Full mode, except it enforces validation of the origin certificate. In order to use this mode, the certificate installed on the origin server must be issued by a trusted Certificate Authority (CA).
In the example image below, you see the connection between the visitor and Cloudflare is secure, as well as the connection between Cloudflare and the origin server.
Full mode (SSL-Only Origin Pull)
When Cloudflare is set to "Full (SSL-Only Origin Pull)", end-to-end encryption is enabled and has the strictest validation for the origin certificate. In order to use this mode, the certificate installed on the origin server must be issued by a trusted Certificate Authority (CA).
In the example image below, you see the connection between the visitor and Cloudflare is secure, as well as the connection between Cloudflare and the origin server.
Common issues due to Cloudflare SSL settings
ERR_TOO_MANY_REDIRECTS
If you have your Cloudflare SSL settings set to Flexible mode and have a force redirect to HTTPS for your website, this will result in an infinite redirect loop, since Cloudflare will attempt to connect to the origin server via HTTP. You will either need to remove the redirect to HTTPS on your website or change the Cloudflare setting to one of the Full mode options so that the connection between Cloudflare and the origin server is encrypted via SSL.
Before changing the SSL setting to one of the full modes, you first need to make sure you have the site listening for HTTPS traffic with a valid certificate on your web server. There are several options for enabling an SSL on your website to secure the traffic between Cloudflare and your origin server:
- (Recommended) A Paid SSL certificate offers more security, validation and insurance. You can order one via our Vivio SSL Certificates page.
- Download Cloudflare's origin certificate from Cloudflare and install it on the server. This option requires you to manually install the certificate provided from Cloudflare frequently on the origin server.
- Using Let's Encrypt is a valid option, although the default HTTP validation will fail when the website is behind the Cloudflare WAF, so you may need to change this to DNS validation instead.
525 Error: SSL handshake failed
You may get this error if the origin web server does not have SSL bindings or is using an expired or untrusted certificate. To resolve this error, make sure your web server is set up to serve the HTTPS version of your website with a valid certificate issued by a trusted certificate authority.
Man in the middle (MITM) attacks
It's a common misconception that placing the website behind Cloudflare and using their free Cloudflare-issued certificate will protect your website. In reality, in every web request there are two connections occurring:
1. The request from the visitor's browser to Cloudflare.
2. The request from Cloudflare to the origin server (where your website is hosted).
If you are using the Flexible setting within Cloudflare, or the Automatic SSL/TLS, and you do not have SSL configured on the web server, then only the request to Cloudflare is going to be secure. An attacker listening to your network request could potentially expose sensitive data being transmitted between Cloudflare and the origin server. So while the visitor has the impression that the website is secure due to seeing a valid certificate in their browser, the traffic could still be exposed to hackers using the MITM attacks.
To protect yourself from these types of attacks, we recommend setting the SSL mode to either Full, Full (trust) or Full (SSL-Only Origin Pull). This will ensure that all connections in the web request are secured via encrypted transmission.
If you need any help changing your SSL mode settings within Cloudflare, please get in touch with our Support team.