[p0cc]

These are the five SSL options for a Cloudflare website [0]:

1. No SSL: User <--HTTP--> Cloudflare <--HTTP--> Origin Server

2. Flexible SSL: User <--HTTPS--> Cloudflare <--HTTP--> Origin Server

3. Full SSL: User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; Self-signed cert ok, expired cert ok

4. Full SSL (strict): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; Origin server must use an SSL certificate that Cloudflare provides [1]

5. Strict (SSL-Only Origin Pull): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; same as Full SSL (strict), but you pay need to pay Cloudflare more money

---

3 and above will fix this issue as they encrypt from Cloudflare to the Origin Server.

This is the traffic flow from the link:

User -> Cloudflare -> Airtel -> GitHub Pages

Where the connection with flexible SSL is Cloudflare <--HTTP--> GitHub Pages.

Upgrading to Full SSL (or higher) and using HTTPS on GitHub [2] should fix.

---

Alternatively, deploy your static website with Cloudflare Pages [3], which has feature parity with Github Pages.

The flow would then be: User <--HTTPS--> Cloudflare Pages

[0]: https://developers.cloudflare.com/ssl/origin-configuration/s...

[1]: https://developers.cloudflare.com/ssl/origin-configuration/o...

[2]: https://docs.github.com/en/pages/getting-started-with-github...

[3]: https://pages.cloudflare.com/

EDIT: The replies by kentonv, x1110dc, and r1ch all have valid points.

[x110dc]

For #4 (strict full) the origin server doesn’t have to use a Cloudflare-supplied cert. Any cert issued by a publicly trusted CA will do. See https://developers.cloudflare.com/ssl/origin-configuration/s...

[Aulig]

Exactly, I've been doing this with letsencrypt.

[creeble]

How do you get certbot to work? Or do you renew manually or something?

[Matt3o12_]

Getting it to work the first time was a pain. Basically, you want to disable cloudflare (just untick the box so that it goes directly to your server, you can keep using cloudflare's dns server), then obtain the normal way, and reactivate Cloudflare. But I would highly recommend using cerbot's cloduflare dns plugin[1] instead so that you can (re)create the certificate w/o disabling cloudflare.

1: https://certbot-dns-cloudflare.readthedocs.io/en/latest/

[gh123man]

I just went though this. you need to whitelist the acme-challenge (using page rules) like this:

  *example.com/.well-known/acme-challenge/*
  Disable Security, SSL: Off, Cache Level: Bypass, Automatic HTTPS Rewrites: Off

and one big gotcha:

  Under SSL/TLS -> Edge Certificates -> disable Always Use HTTPS

(assuming you are using the HTTP-01 challenge).

[kentonv]

> 5. Strict (SSL-Only Origin Pull): User <--HTTPS--> Cloudflare <--HTTPS--> Origin Server; same as Full SSL (strict), but you pay need to pay Cloudflare more money

The difference in this mode is that even if the client connects to Cloudflare using HTTP, Cloudflare will connect to the origin using HTTPS. In all other modes, if the client connects by HTTP, then Cloudflare will connect to origin by HTTP.

Of course, most people these days enable "HTTPS only", in which case Cloudflare will redirect HTTP clients to HTTPS and therefore not make any connection to the origin at all for HTTP clients.

[r1ch]

Note that while option 3 will fix this particular issue (because they only seem to care about port 80), it doesn't stop them from MITMing the connection with their own self-signed cert in the future. Only options 4 and 5 ensure a fully secure SSL connection.