| ▲ | maxbond 6 days ago | |||||||
I get that it's a compatibility workaround (I did look at the docs before posting) but it's a.) super dangerous and b.) apparently was surprising to the authors of this post. I'm gunnuh keep describing "communicate with your backend in plain text and get caught in infinite redirect loops mode" whack but reasonable people may disagree. I would like to know how this setting got enabled, however. And I don't think the document should describe it as a "default" if it isn't one. | ||||||||
| ▲ | motorest 6 days ago | parent [-] | |||||||
> I get that it's a compatibility workaround (...) but it's a.) super dangerous (...) It's a custom mode where you explicitly configure your own requests to your own origin server to be HTTP instead of HTTPS. Even Cloudflare discourages the use of this mode, and you need to go way out of your way to explicitly enable it. > (...) apparently was surprising to the authors of this post. The post is quite old, and perhaps Cloudflare's documentation was stale back then. However, it is practically impossible to set flexible mode being aware of what it means and what it does. > I would like to know how this setting got enabled, however. Cloudflare's docs state this is a custom encryption mode that is not set by default and you need to purposely go to the custom encryption mode config panel to pick this option among half a dozen other options. Perhaps this was not how things were done back then, but as it stands this is hardly surprising or a gotcha. You need to go way out of your way to configure Cloudflare to do what amounts to TLS termination at the edge, and to do so you need to skip a bunch of options that enforce https. | ||||||||
| ||||||||