How to Choose Cloudflare SSL Mode (Flexible, Full, Strict)
In this tutorial, you'll learn about How to Choose Cloudflare SSL Mode (Flexible, Full, Strict). We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
The Problem
Cloudflare offers three SSL/TLS encryption modes: Flexible, Full, and Strict. Choosing the wrong mode can leave traffic unencrypted between Cloudflare and your origin server, or cause browser warnings.
Quick Fix
Step 1: Check your current SSL mode
In the Cloudflare Dashboard:
- Select your domain.
- Go to SSL/TLS > Overview.
- See the currently selected mode.
Step 2: Understand the three modes
Flexible — Encrypts traffic between the Visitor and Cloudflare only. Traffic from Cloudflare to your origin is over HTTP. Use only when your origin does not support HTTPS or has a self-signed certificate.
Full — Encrypts traffic both ways, but Cloudflare does not verify your origin certificate. Use when your origin has HTTPS with a certificate that may be self-signed or expired.
Full (Strict) — Encrypts both ways and requires a valid, trusted certificate on your origin. This is the recommended mode for production.
Step 3: Set to Full (Strict)
- In SSL/TLS > Overview, select Full (Strict).
- Ensure your origin server has a valid SSL certificate from a trusted CA (Let's Encrypt, ZeroSSL, or a paid CA).
This is the safest option. Cloudflare validates the origin certificate on every connection and will not fall back to unencrypted HTTP.
Step 4: Configure the origin certificate for Strict
If your origin is behind Cloudflare, install an origin certificate:
- Go to SSL/TLS > Origin Server.
- Click Create Certificate.
- Select the hostnames and validity period.
- Copy the certificate and key to your origin server.
sudo tee /etc/ssl/cloudflare-origin.pem > /dev/null << 'EOF'
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF
Step 5: Configure your web server for Strict
For Nginx:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/cloudflare-origin.pem;
ssl_certificate_key /etc/ssl/cloudflare-origin.key;
}
Step 6: Test the SSL mode
curl -I https://example.com | grep -i "cf-ray"
A valid cf-ray header confirms the connection is proxied through Cloudflare.
Step 7: Verify no mixed-content warnings
curl https://example.com | grep -i "http://"
If your HTML includes http:// URLs for assets, browsers may show mixed-content warnings even with Strict mode.
Alternative Solutions
If your origin cannot support HTTPS, use Flexible, but understand that the origin-to-Cloudflare leg is unencrypted. Upgrade your origin as soon as possible.
Common Errors
Browser shows "ERR_SSL_VERSION_OR_CIPHER_MISMATCH": The origin server does not support the same TLS version that Cloudflare negotiates. Ensure the origin runs TLS 1.2 or higher.
Cloudflare returns 521/522 errors in Strict mode: The origin certificate is invalid or expired. Verify with openssl s_client -connect origin-host:443 and check the certificate dates.
Mixed content warnings in Flexible mode: Since traffic to the origin is HTTP, any HTTPS page loading resources over HTTP triggers mixed content warnings. Use Strict mode to avoid this.
Origin certificate not trusted: In Strict mode, Cloudflare validates the origin certificate against the system CA store. Use a certificate from a trusted CA or a Cloudflare Origin Certificate.
Prevention
- Always use Full (Strict) for production sites.
- Never use Flexible for sensitive data (logins, payments, APIs).
- Set up automatic certificate renewal on your origin server.
- Test with a staging domain before changing modes on production.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro