| pcx_content_type | title | weight | meta | ||
|---|---|---|---|---|---|
reference |
Full |
3 |
|
When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http, then Cloudflare connects to the origin using plaintext HTTP and vice versa.
flowchart LR
accTitle: Full SSL/TLS Encryption
accDescr: With an encryption mode of Full, your application encrypts traffic going to and coming from Cloudflare but does not validate your origin certificate.
A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[(Origin server)]
Choose Full mode when your origin can support an SSL certification, but — for various reasons — it cannot support a valid, publicly trusted certificate.
{{
}}In addition to Full encryption, you can also set up Authenticated Origin Pulls to ensure all requests to your origin are evaluated before receiving a response.
{{
}}Before enabling Full mode, make sure your origin allows HTTPS connections on port 443 and presents a certificate (self-signed, Cloudflare Origin CA, or purchased from a Certificate Authority). Otherwise, your visitors may experience a 525 error.
{{}}
{{}} {{}}
{{}}
{{}} {{}}
{{}}
{{}} {{}}
The certificate presented by the origin will not be validated in any way. It can be expired, self-signed, or not even have a matching CN/SAN entry for the hostname requested.
Without using Full (strict), a malicious party could technically hijack the connection and present their own certificate.