~~PAGEIMAGE:network:server:cloudflare:media:img:20230507-104146.png~~

====== Cloudflare encryption mode ======

{{template>:meta:template:pageinfo#tpl
|desc=Introduce the encryption modes supported by **Cloudflare**, and point out some things that need attention.}}

===== Overview =====

The image below shows the Cloudflare dashboard interface for changing the encryption mode.

{{network:server:cloudflare:media:img:20230507-104146.png?direct&600}}

===== Encryption modes =====

<callout type="info">

<wrap info>The below is copied from [[https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/]].</wrap>
\\ \\
  * <wrap menu>Off (no encryption)</wrap> \\ Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.

  * <wrap menu>Flexible</wrap> \\ Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.

  * <wrap menu>Full</wrap> \\ When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.

  * <wrap menu>Full (strict)</wrap> \\ When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.

  * <wrap menu>Strict (SSL-Only Origin Pull)</wrap> \\ When you set your encryption mode to Strict (SSL-Only Origin Pull), connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.
</callout>

===== Things to note =====

  * If only the **HTTPS port (443)** is enabled in the server, you cannot select the <wrap menu>Off (no encryption)</wrap> and <wrap menu>Flexible</wrap> modes. This is because in these modes Cloudflare intends to connect to the server via the **HTTP port (80)**, which is blocked by the server.

===== Reference =====

  * //[[https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/]]//
  * //[[https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/]]//