| ▲ | motorest 6 days ago | |
> I get that it's a compatibility workaround (...) but it's a.) super dangerous (...) It's a custom mode where you explicitly configure your own requests to your own origin server to be HTTP instead of HTTPS. Even Cloudflare discourages the use of this mode, and you need to go way out of your way to explicitly enable it. > (...) apparently was surprising to the authors of this post. The post is quite old, and perhaps Cloudflare's documentation was stale back then. However, it is practically impossible to set flexible mode being aware of what it means and what it does. > I would like to know how this setting got enabled, however. Cloudflare's docs state this is a custom encryption mode that is not set by default and you need to purposely go to the custom encryption mode config panel to pick this option among half a dozen other options. Perhaps this was not how things were done back then, but as it stands this is hardly surprising or a gotcha. You need to go way out of your way to configure Cloudflare to do what amounts to TLS termination at the edge, and to do so you need to skip a bunch of options that enforce https. | ||
| ▲ | maxbond 6 days ago | parent [-] | |
It seems like you think I'm operating under a misunderstanding as a result of not having looked at the docs. I looked at them before commenting, and described them accurately if tersely in my original comment. We just disagree. I didn't mean "I would like to know" in some sort of conspiratorial way, I just thought there was a story to be told there. | ||