Cloudflare flexible SSL and redirects
12,489
Solution 1
Try the following rewrite rule:
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
Also please check that you have an SSL version of your virtual directory enabled in your httpd.conf/apache.conf file.
How are you managing the domain name? Through a control panel or through command line? Which class of cloud flare are you using? Do you have your own SSL certificate installed on the server?
Solution 2
From CloudFlare's knowledge base.
RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://www.domain.com$1 [L]
Just did this myself, works like a charm.
Solution 3
As stated here On Cloudflare Official Support Site
So I'll walk you through what I did, (as of 16-JUN-2016)
Since a picture speaks a thousand words. See Below
And you are done. It should start redirecting to https outright.
Solution 4
Here's what worked for me: @Victor Häggqvist's htaccess rules combines with @Mohd Abdul Mujib's page rules (with * also in beginning of rule, though).
RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://www.domain.com$1 [L]
------
http://*yourdomain.com/*
As per Cloudflare's manual, the protocol must be http in the above for it to work.
I added a pure html page to Cloudflare and got too many redirects, but the above helped. Now I will go and install Wordpress on the site.
These are the links I gathered for my journey, in case they are helpful to someone else, too.
https://blog.cloudflare.com/flexible-ssl-wordpress-fixing-mixed-content-errors/
Solution 5
the .htaccess didn't work for me either (neither did creating a rule with force https option).
What worked is I created a rewrite rule on CloudFlare to rewrite from http://yourdomain.com/* to https://yourdomain.com/$1 and that fixed the issues (it took about half an hour to kick in though).
Author by
Mikkel Madsen
Updated on June 08, 2022Comments
-
Mikkel Madsen almost 2 years
I'm having some really annoying problems with my domain.
I have Cloudflare flexible SSL on my site, and it makes a https call, IF I type it myself >< When I try to force https to be used on my site via a
.htaccessfile I get an internel server error.I would like all visitors to my site to always be redirected to
https://www.example.comeven if they typeexample.comorexample.com/index.phpetc. + using https on the whole site.I just can't find the solution to this, so I'm trying stack.
My DNS settings on Cloudflare is an A record that points
domain.comto a IP and a CNAME record that sayswww.domain.comis an alias ofdomain.comI have no page rules added on Cloudflare atm.
<IfModule mod_setenvif.c> <IfModule mod_headers.c> <FilesMatch "\.(cur|gif|ico|jpe?g|png|svgz?|webp)$"> SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS </FilesMatch> </IfModule> </IfModule> <IfModule mod_headers.c> <FilesMatch "\.(eot|otf|tt[cf]|woff)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch> </IfModule> Options -MultiViews <IfModule mod_headers.c> Header set X-UA-Compatible "IE=edge" # `mod_headers` cannot match based on the content-type, however, this # header should be send only for HTML pages and not for the other resources <FilesMatch "\.(appcache|atom|crx|css|cur|eot|f4[abpv]|flv|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|tt[cf]|vcf|vtt|webapp|web[mp]|woff|xml|xpi)$"> Header unset X-UA-Compatible </FilesMatch> </IfModule> <IfModule mod_mime.c> # Audio AddType audio/mp4 m4a f4a f4b AddType audio/ogg oga ogg opus # Data interchange AddType application/json json map AddType application/ld+json jsonld AddType application/javascript js # Video AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv # Web fonts AddType application/font-woff woff AddType application/vnd.ms-fontobject eot AddType application/x-font-ttf ttc ttf AddType font/opentype otf AddType image/svg+xml svgz AddEncoding gzip svgz # Other AddType application/octet-stream safariextz AddType application/x-chrome-extension crx AddType application/x-opera-extension oex AddType application/x-web-app-manifest+json webapp AddType application/x-xpinstall xpi AddType application/xml atom rdf rss xml AddType image/webp webp AddType image/x-icon cur AddType text/cache-manifest appcache manifest AddType text/vtt vtt AddType text/x-component htc AddType text/x-vcard vcf </IfModule> AddDefaultCharset utf-8 <IfModule mod_mime.c> AddCharset utf-8 .atom .css .js .json .jsonld .rss .vtt .webapp .xml </IfModule> #<IfModule mod_rewrite.c> # Options +FollowSymlinks # Options +SymLinksIfOwnerMatch # RewriteEngine On # REDIRECT /folder/index.php to /folder/ # RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/ # RewriteRule ^(([^/]+/)*)index\.php$ http://www.domain.dk/$1 [R=301,L] #</IfModule> #<IfModule mod_rewrite.c> # RewriteCond %{HTTPS} !=on # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] # RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] #</IfModule> #<IfModule mod_rewrite.c> # RewriteCond %{HTTPS} !=on # RewriteCond %{HTTP_HOST} !^www\. [NC] # RewriteCond %{SERVER_ADDR} !=127.0.0.1 # RewriteCond %{SERVER_ADDR} !=::1 # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] #</IfModule> <IfModule mod_autoindex.c> Options -Indexes </IfModule> <IfModule mod_rewrite.c> RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F] </IfModule> <FilesMatch "(^#.*#|\.(bak|config|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$"> # Apache < 2.3 <IfModule !mod_authz_core.c> Order allow,deny Deny from all Satisfy All </IfModule> # Apache ≥ 2.3 <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch> <IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff" </IfModule> #<IfModule mod_rewrite.c> # RewriteCond %{SERVER_PORT} !^443 # RewriteRule ^ https://www.domain.dk%{REQUEST_URI} [R=301,L] #</IfModule> <IfModule mod_deflate.c> # Force compression for mangled headers. <IfModule mod_setenvif.c> <IfModule mod_headers.c> SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding </IfModule> </IfModule> # Compress all output labeled with one of the following MIME-types # (for Apache versions below 2.3.7, you don't need to enable `mod_filter` # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines # as `AddOutputFilterByType` is still in the core directives). <IfModule mod_filter.c> AddOutputFilterByType DEFLATE application/atom+xml \ application/javascript \ application/json \ application/ld+json \ application/rss+xml \ application/vnd.ms-fontobject \ application/x-font-ttf \ application/x-web-app-manifest+json \ application/xhtml+xml \ application/xml \ font/opentype \ image/svg+xml \ image/x-icon \ text/css \ text/html \ text/plain \ text/x-component \ text/xml </IfModule> </IfModule> <IfModule mod_headers.c> Header set Cache-Control "no-transform" </IfModule> <IfModule mod_headers.c> Header unset ETag </IfModule> FileETag None #<IfModule mod_expires.c> #ExpiresActive On #ExpiresByType image/jpg "access 1 year" #ExpiresByType image/jpeg "access 1 year" #ExpiresByType image/gif "access 1 year" #ExpiresByType image/png "access 1 year" #ExpiresByType text/css "access 1 month" #ExpiresByType text/html "access 1 month" #ExpiresByType application/pdf "access 1 month" #ExpiresByType text/x-javascript "access 1 month" #ExpiresByType application/x-shockwave-flash "access 1 month" #ExpiresByType image/x-icon "access 1 year" #ExpiresDefault "access 1 month" #</IfModule> -
Mikkel Madsen over 9 yearsIt does not work. I could not find any information about virtual directory in my apache2 folder. I don't use command line as of now(still a beginner). I don't use any class of cloudflare? I just made my DNS point to theirs and activated SSL flex for my pro account. I don't have my own SSL.
-
Liam Sorsby over 9 yearsSorry I meant by class, do you use free cloudflare, business ect.. Also, the error maybe the fact that when you force https its not being handled by cloudflare -
Mikkel Madsen over 9 yearsI use pro :) They say I need to make a self signed SSL and upload it to unoeuro(my host) then I can use full SSL instead of flex SSL. The flex SSL may cause many redirect problems with my server and cloudflare, so it seems.
-
Liam Sorsby over 9 yearsWhat type of app is it going to be? A commercial website? If so, it won't work. It's just as secure but signed by an untrusted site so everyone will get and SSL warning (which no one will every go onto)
-
Liam Sorsby over 9 yearsI wouldn't think https is a major ranking factor. However if you want to use ssl I'd recommend buying an ssl certificate
-
Zano over 9 years@LiamSorsby: The visitors are never going to see his self-signed cert, only CloudFlare's. CF doesn't care if the cert is self-signed, so for "full SSL", this is a completely valid alternative.
-
Liam Sorsby about 9 years@Zano cloudflare only provides SSL protection from the client to CF. If you have any serverside script that must be called by CF this is not protected against attack so you will need your own SSL Cert. So in a way if you just use CF's certificate you will end up with a potential hole in your security.
-
Zano about 9 years@LiamSorsby, I agree, and I haven't stated otherwise. My only point was that your claim that "everyone will get an SSL warning" is just not true.
-
Liam Sorsby about 9 years@Zano a valid point taken. You are correct in what you are saying.
-
Ashish over 8 yearsUsing this only wordpress work. If I try to open any other files except wordpress files they still shows redirect. Like / is wordpress base URL /myfolder/ I created a folder myself and placed some png file and opening the file shows redirect always. If I turn On Development Mode it works. but when Development mode is off. It wont work. I have tried clearing cache to everything. Finally leaving Cloudflare SSL. Its full of bugs!
