In this article, we are discussing the various SSL options from the CloudFlare proxy platform. Once you have signed up for the CloudFlare service and you have configured your domain’s DNS records to route through their system, you will have access to their SSL options for the account which will allow you to customize how you want the secure traffic to be presented to a visitor.
The available options are listed below:
- “Flexible SSL”
- “Full SSL”
- “Full SSL (Strict)”
This option is the default, an offers no secure connection between the site visitor and CloudFlare. In addition, this means that there is no secure connection between CloudFlare and the server that is hosting the content.
From the visitor perspective, this means that the visitor will only be able to connect to the site content over the non-secure HTTP protocol. This will not deny your visitor from accessing the content over HTTPS instead it will redirect them to the HTTP version of the site.
The Flexible SSL option allows your visitors attempting to access your site over HTTPS to have a secure connection to the CloudFlare service. This is accomplished by the use of a CloudFlare SSL that secures the connection between visitor and CloudFlare while the connection between CloudFlare and hosting server can remain insecure.
There are limitations to the Flexible SSL, it can only support secure connections to port 443. While port 443 is a standard secure port for web traffic, there are times where you can find yourself needing access to another port using the HTTPS protocol. For example, if you are attempting to allow secure connection to your cPanel/WHM login URL (this method uses ports WHM:2087 and cPanel:2083) using a CloudFlare protected domain and a Flexible SSL. The request will be redirected using HTTP protocol instead.
The Full SSL option from CloudFlare is an option that allows the traffic between the hosting server and CloudFlare to be secured, even if you are unable to configure an “authorized” certificate. Meaning that the certificate that is installed on the server is not recognized by a Certificate Authority, but instead is self-signed.
This will also be a method to get around the limitation of the Flexible SSL, as the self-signed certificate will work to validate HTTPS calls to non-standard but secured ports, like the cPanel ports mentioned earlier.
Full SSL (Strict)
The strict version of the Full SSL option requires that the certificate that has been installed on the hosting server to be validated by a Certificate Authority. In this case, the self-signed certificate option will not be allowed.
This option will also rewrite the HTTP requests to the site from the visitor perspective to HTTPS natively so that your web server doesn’t need to do that for you.
Due to the complexity of the additional network layer that a proxy service like CloudFlare can present, they have generated a common troubleshooting guide to better determine if the issue is with the CloudFlare configuration or perhaps an issue on the hosting server.