English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

More on this topic: Discussions and Tips

End-to-end HTTPS with Cloudflare - Part 3: SSL options

  • Updated

Understand which Cloudflare SSL options encrypt HTTPS traffic between Cloudflare and the origin web server.

Overview

The SSL section of the Cloudflare SSL/TLS app contains several options that determine whether Cloudflare securely connects to your origin web server.

After reviewing the description of each SSL option, refer to our list of recommended SSL options depending on your origin web server SSL configuration:

Off disables HTTPS for your site visitors whereas Full(Strict) provides the most traffic security end-to-end.

If your origin web server either redirects HTTP traffic to HTTPS or HTTPS traffic to HTTP, redirect loop errors can occur for website visitors.

Off

SSL mode off

Off disables secure HTTPS connections between both visitors and Cloudflare and between Cloudflare and your origin web server. Visitors can only view your website over HTTP. Any connections attempted via HTTPS result in a HTTP 301 redirect to unencrypted HTTP.

Setting SSL to Off hides the Onion Routing and Always Use HTTPS settings in the Edge Certificates tab of the Cloudflare SSL/TLS app.

Flexible

SSL Options flexible

The Flexible SSL option allows a secure HTTPS connection between your visitor and Cloudflare, but forces Cloudflare to connect to your origin web server over unencrypted HTTP. An SSL certificate is not required on your origin web server and your visitors will still see the site as being HTTPS enabled.

Flexible is not recommended if your website contains sensitive information. Use Flexible only as a last resort if you are unable to setup SSL at your origin web server.

Full

SSL options full

Full ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your web server.

The Full SSL option does not validate SSL certificate authenticity at the origin. A self-signed certificate is allowed at the origin web server.

To avoid 525 errors, before enabling Full SSL option, configure your origin web server to allow HTTPS connections on port 443 and present either a self-signed SSL certificate, a Cloudflare Origin CA certificate, or a valid certificate purchased from a Certificate Authority.

Full (strict)

SSL options full (strict)

Full (strict) ensures a secure connection between both the visitor and your Cloudflare domain and between Cloudflare and your origin web server. Full (strict) support SSL hostname validation against CNAME targets.

Configure your origin web server to allow HTTPS connections on port 443 and present either a Cloudflare Origin CA certificate or a valid certificate purchased from a Certificate Authority. This certificate must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

The Full(strict) SSL option checks for SSL certificate validity at the origin web server. A self-signed certificate cannot be used. A Cloudflare Origin CA certificate or valid certificate purchased from a Certificate Authority is required to avoid 526 errors.

Strict (SSL-Only Origin Pull)

Strict (SSL-Only Origin Pull) is only available for Enterprise zones.

Strict (SSL-Only Origin Pull) occurs between Cloudflare's network and the origin server. It's not related to "Authenticated Origin Pull" at all. Connections to the origin will always be made using SSL/TLS encryption (HTTPS), regardless of the scheme requested by the visitor. The SSL certificate presented by the origin web server must be signed by a Certificate Authority that is trusted by Cloudflare, have a future expiration date, and cover the requested domain name (hostname).

SSL/TLS Recommender

To check if your domain is compatible with a more secure SSL/TLS mode, enable the SSL/TLS Recommender. The SSL/TLS Recommender checks for content differences in your site when served over HTTP and HTTPS. It also checks if your site is configured with a valid TLS certificate. Based on this and recursive crawls over encrypted and unencrypted connections, it recommends the mode that maximizes security while preserving content.

When enabled, the SSL/TLS Recommender sends the zone owner an email with an SSL/TLS mode recommendation if one is available. A "Recommended by Cloudflare" tag displays next to the recommended mode on the SSL/TLS page. If you do not receive an email, the recommendation is to keep the current mode. You are not required to use the recommendation. The Recommender runs periodically and sends notifications if new recommendations become available. The recommendation is never lower than your current SSL/TLS mode.

The SSL/TLS Recommender is not intended to resolve issues with website or domain functionality. The Recommender will not be able to complete its scan and show the "Recommended by Cloudflare" tag if

  • the domain is not functional,
  • you enable Cloudflare Workers® for your website,
  • you block all bots, or
  • there are any active SSL-specific Page Rules.

 

 

Related resources

Learn

Troubleshoot

 

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request

Related articles

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request