A short version of the answer to this question is: Only choose “Flexible” if your origin webserver cannot accept secure (HTTPS) connections. Choose “Full” if you have a self-signed SSL certificate, and choose “Full (strict)” if you have a valid SSL certificate.
Now for the detailed explanation. The SSL options let you control:
- If visitors can browse your website over a secure connection
- And when they do, how Cloudflare is going to connect to your origin webserver.
These options are listed in the order from the least secure (Off) to the most secure (Full SSL (Strict)). All of them are available, independently of your plan level.
Off: no secure connection between your visitor and Cloudflare, and no secure connection between Cloudflare and your web server either. This means that visitors can only view your website over HTTP, and any visitor attempting to connect via HTTPS will be returned a HTTP 301 Redirect to the plain HTTP version of your website.
Flexible SSL: secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled. This option is not recommended if you have any sensitive information on your website. This setting will only work for port 443->80, not for the other ports we support like 2053. It should only be used as a last resort if you are not able to setup SSL on your own web server. Do be aware it can cause issues when you decide to switch away from it: How do I fix the infinite redirect loop...
Full SSL: secure connection between your visitor and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least. The authenticity of the certificate is not verified: from Cloudflare’s point of view (when we connect to your origin webserver), it’s the equivalent of bypassing this error message. But as long as the address of your origin webserver is correct in your DNS settings, you know that we’re connecting to your webserver, and not someone else’s.
Full SSL (Strict): secure connection between the visitor and Cloudflare, and secure and authenticated connection between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a valid SSL certificate. This certificate must be signed by a certificate authority that is trusted by Cloudflare, have an expiration date in the future, and respond for the request domain name (hostname). If you've added a CNAME record for the hostname on Cloudflare, the certificate's Common Name or SAN may also match the CNAME target.
Strict (SSL-Only Origin Pull): Enterprise only This mode has the same certificate requirements as Full (Strict) and will also upgrade all connections between Cloudflare and the origin from HTTP to HTTPS, even if the original content requested is over HTTP.
Origin CA certificates, generated by Cloudflare, can be used with either the Full or Full(strict) options as they are trusted by Cloudflare. You can find more information about Origin CA certificates below:
We hope this clarifies your understanding of these options. If your SSL is not working, please review these common reasons and how to resolve them here: