This behavior only works when the reverse proxy or CDN is configured like this:

Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)

(example: Cloudflare in Flexible mode)

If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.

If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v

▲

mort96 5 hours ago | parent | next [-]

Ah, Cloudflare. The world's most widely deployed encryption remover.

▲

spoiler 3 hours ago | parent | next [-]

To be fair, Cloudflare is also the reason why most sites even have TLS at all, because it offered free certs (through letsencrypt I think?) in a fairly easy to set up way.

Certs used to be expensive, and had way more operational overhead and quirks (even setting up ACME/LE)

▲

estimator7292 2 hours ago | parent | next [-]

Absolutely not, no. That is all thanks to Let's Encrypt.

	▲	DoctorOW an hour ago \| parent [-]
		This was true before Let's Encrypt existed, they'd buy massive 500 domain wildcard SSL certs that free users would split.

▲

Tostino 2 hours ago | parent | prev [-]

I'm not going to give them credit for the work that Lets Encrypt did.

▲

bawolff 2 hours ago | parent | prev [-]

Is it really that different than AWS? You either trust your service provider or you don't.

	▲	lmm an hour ago \| parent [-]
		AWS doesn't route requests from their load balancer to your server across the public internet. Cloudflare does.

▲

bobmcnamara 4 hours ago | parent | prev | next [-]

It'll also work DigiNotar-style, when using the only root CA blessed by the National Information Network for general use: I.R. Iran.

▲

huflungdung 2 hours ago | parent | prev [-]

Digiboy is a treasure trove of enterprise software. Where else would I get a pirated hpe ilo license from?