On the security impact of insecureSkipVerify vs Cloudflare Full(strict) SSL/TLS Encryption

[9SMTM6]

I'm all but an security expert, so maybe I'm just wrong. But thinking about it I would think that enabling traefik's serversTransports.insecureSkipVerify is in most situations a much safer option than going down from Full (strict) to Full SSL/TLS Encryption in the Cloudflare settings.

As far as I understand it these settings do pretty much the same. They disable verification of the Certificates of the proxied service behind them.

The difference is that while the communication between Traefik and the thing it proxies to is usually at the most in a local network and often may actually be just on the localhost), while the communication between Traefik and Cloudflare is through the Internet.

And if one follows your example here https://www.smarthomebeginner.com/traefik-2-docker-tutorial/#Why_did_I_include_NextCloud_as_an_Example than one has to reduce security in one of the two things, because otherwise either Traefik or Cloudflare will reject self-signed certificates.

The best thing would be IMAO if one could, on either of these, disable verification for just one specific i.e. subdomain, but both are apparently only global (not sure why?).

On second thoughts, I'm not sure how much attack surface our setup with our one WAN IP is opening. Maybe its safe after all? I guess spoofing the dynamic DNS shortly after a change is not easy, which is the only thing I can actually think of. But still its probably not impossible either. Anyways I think this still would be an interesting discussion so I'll issue this anyways.

Also I just thought of a way to disable verification for one specific subdomain. With PageRules. Unfortunately we Free Cloudflare Account peasants are limited to only 3 of these.