Table of Contents
Cloudflare encryption mode
Introduce the encryption modes supported by Cloudflare, and point out some things that need attention.
Overview
The image below shows the Cloudflare dashboard interface for changing the encryption mode.
Encryption modes
The below is copied from https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/.
Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.
When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
When you set your encryption mode to Strict (SSL-Only Origin Pull), connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor.
Things to note
- If only the HTTPS port (443) is enabled in the server, you cannot select the and modes. This is because in these modes Cloudflare intends to connect to the server via the HTTP port (80), which is blocked by the server.