Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!
Introduction
From time to time, you might find yourself in a place where you have added a new site to your server, and it’s stuck in a redirect loop or redirecting to another domain on your server.
Cloudflare “SSL/TLS encryption mode” setting
When adding a new domain to Cloudflare, it needs to generate an SSL Certificate and set a default method for how it will reach your new site. There is a setting for how Cloudflare will connect to your site, it’s the “SSL/TLS encryption mode” setting and will usually be set to Flexiable. As shown below
Here’s the definition of each.
Available encryption modes
https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/
- Off (no encryption): Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
- Flexible: Setting your encryption mode to Flexible makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin.
- Full: When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses
http
, then Cloudflare connects to the origin using plaintext HTTP and vice versa.- Full (strict): When you set your encryption mode to Full (strict), Cloudflare does everything in Full mode but also enforces more stringent requirements for origin certificates.
- Strict (SSL-Only Origin Pull): This method is only available for Enterprise zones.
As you can see from the description above, Flexiable mode will use HTTP to connect to your origin server (your server) rather than HTTPS. Even with full, if your visitor uses HTTP, it will still connect to your origin server via HTTP.
So what’s the issue?
So what’s the issue? Why am I getting a redirection loop? Let’s take a look at the process.
User https:// -> Cloudflare http:// -> Server aka Origin Tells the user to Redirect to htttps://
The user starts with https, and Cloudflare sends the request to http:// and then your server tells the user to redirect to https://, viola a redirect loop. This can occur in a couple of scenarios, perhaps with a self-signed certificate, or Cloudflare is stuck on using http:// for some reason. Either way there is an easy solution to get Cloudflare to start acting correctly.
Solution – Cloudflare “Full Strict” or “Configuration Rule”
So what’s the solution? Switch to Full Strict; that usually fixes the issue; however, sometimes, this doesn’t. So that’s where you need to force Cloudflare to use https:// by using Configuration rules. This is just something I’ve notice works, and I’m still not certain why, hopefully I can update this article when I do figure it out 🙂
So lets go over creating a configuration rule to enforce “Full Strict”.
1 – Setup a new Cloudflare Configuration Rule
Login to your Cloudflare account, select the domain affected, then click “Rules->Configuration Rules->Create Rule”. Then name the rule and select “All incoming requests”.
2 – Set SSL option to “Full” or “Stricit”
Go to the bottom of the page and click “+ Add” next to SSL and select “Full” or “Strict” and then click Deploy.
Conclusion
Be aware of how Cloudflare handles traffic. It can be the culprit, and you wouldn’t be able to tell unless you knew how Cloudflare’s “SSL/TLS encryption mode” setting worked.