
Cloudflare's encryption mode — set under SSL/TLS → Overview in the dashboard — controls two separate connections, and the whole topic makes sense the moment you see them as two legs. Leg one runs from the visitor's browser to Cloudflare's edge. Leg two runs from Cloudflare's edge to your origin server. The padlock in the browser only ever proves that leg one is encrypted; the mode you pick decides what happens on leg two.
Off disables HTTPS entirely — both legs are plaintext, and nobody should use it. Flexible encrypts leg one only: Cloudflare talks to your origin over plain HTTP on port 80, so every request crosses the open internet unencrypted while the visitor sees a padlock. Full encrypts both legs, but Cloudflare accepts any certificate on the origin — self-signed, expired, or issued for a completely different hostname — which means it never verifies who it is actually talking to. Full (strict) encrypts both legs and requires the origin certificate to be valid: unexpired, matching the hostname, and signed by a trusted authority or by Cloudflare's own Origin CA. Only one of those four modes gives you real end-to-end TLS.
Full (strict) is the mode to use in production, and the other three fail for concrete reasons rather than matters of taste. Flexible transmits login forms, session cookies, and API payloads in cleartext between Cloudflare and your server — anyone positioned on that path can read or modify them, and your visitors have no way to know. Full encrypts the traffic but skips authentication, so an attacker who can intercept the route to your origin can present their own self-signed certificate and Cloudflare will happily complete the handshake with the impostor. Encryption without identity verification is a lock on a door you never checked.
Flexible mode is also the number one cause of ERR_TOO_MANY_REDIRECTS. If your origin redirects HTTP to HTTPS (as almost every Nginx vhost and WordPress install does), Cloudflare fetches over HTTP, your server answers with a 301 to HTTPS, the visitor comes back through Cloudflare, and Cloudflare fetches over HTTP again — an infinite loop. And even when it does not loop, the Cloudflare-to-origin leg is still plaintext. Treat Flexible as a bug, not a setting.
The only requirement Full (strict) imposes is that your origin holds a certificate Cloudflare trusts. There are exactly two good ways to get one, and both are free.
A Let's Encrypt certificate on the origin works exactly as it would without Cloudflare — and yes, it still validates while the orange-cloud proxy is on. The HTTP-01 challenge asks Let's Encrypt to fetch a token from /.well-known/acme-challenge/ over plain HTTP, and Cloudflare passes that request straight through to your origin, so certbot completes the challenge without you touching a single DNS setting:
Because the certificate comes from a publicly trusted CA, it satisfies Full (strict) immediately, and it keeps working even if you later gray-cloud the record or leave Cloudflare entirely — that portability is its main advantage over the Origin CA option. The cost is the 90-day lifetime, which makes renewal automation mandatory. If your server runs on CloudStick, this is one click instead of a certbot session: CloudStick issues the Let's Encrypt certificate from the dashboard and auto-renews it before expiry, so Full (strict) never breaks at 2 a.m. because a renewal cron silently failed.
The Origin CA certificate is Cloudflare's purpose-built answer: free, valid for up to 15 years, and issued in about thirty seconds from SSL/TLS → Origin Server → Create Certificate. The trade-off is spelled out in the name — it is signed by Cloudflare's private CA, which browsers do not trust. It only works while traffic flows through the Cloudflare proxy; hit the origin IP directly and you get a certificate error. That makes it perfect for a server that will live behind Cloudflare permanently, and wrong for anything else. You can let the dashboard generate the private key, or keep the key on your server and submit only a CSR:
Paste the CSR into the Origin Server page, download the issued PEM, and install both files in Nginx:
Switch the zone to Full (strict) and you are done for the next decade and a half — no renewals to automate. CloudStick supports this path too: its custom SSL installation accepts the Origin CA certificate and private key for any website on the server, so you can install the pair from the dashboard without editing vhost files by hand, and pair it cleanly with Full (strict).
Full (strict) lets your server prove its identity to Cloudflare; Authenticated Origin Pulls makes the proof mutual. Cloudflare presents a client certificate on every request to your origin, and Nginx rejects any connection that does not carry it — so even someone who discovers your origin IP cannot bypass the proxy and talk to your server directly. Download Cloudflare's origin pull CA and add two lines to the TLS server block:
Then flip the switch on Cloudflare's side under SSL/TLS → Origin Server → Authenticated Origin Pulls. Order matters: configure and reload the Nginx side first, then enable it at Cloudflare, because once ssl_verify_client is on, every non-Cloudflare HTTPS client — including your own curl against the origin IP — gets a 400 error. That is exactly the point.
If a site behind Cloudflare loops with ERR_TOO_MANY_REDIRECTS, the diagnosis is almost always the one from the warning above: the zone is on Flexible while the origin forces HTTPS. The fix is not to remove the origin redirect — that redirect is correct — it is to install a proper certificate using either option above and switch the mode to Full (strict). The loop disappears because Cloudflare now fetches over HTTPS and the origin has nothing left to redirect. Verify each leg from your terminal:
Your checklist from here is short. Confirm the zone mode under SSL/TLS → Overview is Full (strict). Confirm the origin holds either an auto-renewing Let's Encrypt certificate or a 15-year Origin CA certificate. Run the three curl checks. If the server is managed by CloudStick, the certificate half of that list is dashboard work — issue Let's Encrypt with auto-renewal or install the Origin CA pair as a custom certificate — and Authenticated Origin Pulls remains the optional last mile for locking the origin to Cloudflare alone. Two legs, both encrypted, both verified: that is what the padlock was supposed to mean all along.

