• Flexible configuration
  • Always use HTTPS

We do not have access to change any configuration on the ORIGIN server. If we did, I’d install an SSL certificate immediately and use Cloudflare’s full SSL configuration.

Currently facing the issue that Cloudflare is redirecting all traffic to HTTPS, while the origin has a 302 redirect of HTTPS traffic to HTTP. This article seems to indicate that the “flexible” configuration is not compatible with an origin server that redirects traffic from HTTP to HTTPS. In this case, however, it is the opposite, the origin server is redirecting HTTPS traffic to HTTP.

This seems odd to me as my understanding is that Cloudflare communicates with the origin server over HTTP in the “flexible” SSL configuration, so the server should observe the traffic as HTTP traffic and not be sending a redirect from HTTPS to HTTP.

How about an option Automatic HTTPS redirection?
Do you have it enabled too?
Any Page Rules?

If you want to keep HTTP only, then kindly choose “Off” option under SSL tab/settings at Cloudflare dashboard to keep your Website makred as “unsecured” and only on HTTP.

  • this should be true when the DNS records are proxied via Cloudflare (:orange: cloud)

Therefore, remove HTTPS to HTTP redirection at your origin - serve traffic only on 80 HTTP port.

From my point of view, doing HTTPS to HTTP is kind of an issue nowadays.
Either go HTTPS, or just keep the HTTP as is.

Hope it helps.

The goal is to overcome the challenge that the server does not have an SSL certificate (and we do not have access to add one) and display an SSL certificate to users by proxying the site through Cloudflare.

Is this possible when the origin redirects HTTPS traffic to HTTP? I’m confused why this is even occurring though when the Cloudflare is supposedly interacting with the site over HTTP when in flexible mode.

Well, this one is not great for an end-user. Moreover, Web browser more and more are going to support HTTPS and refuse to either make a connection to an HTTP webiste. I truly believe you have a concern and care for your visitors too?

May I ask what have you tried to get one?
Either, you could generate an Cloudflare Origin CA certificate and install it for your domain and sub-domain(s) at your host/origin server and enable Full SSL option at Cloudflare dashboard - I truly recommend you to try this.
If interested have a look in this article:

May I ask if you are using Apache (htaccess) or Nginx (vhost)?

HTTPS redirects from HTTP are extremely dangerous (and in fact will be blocked by all browsers soon due to abuse). For your captive portal, never ever perform any HTTPS to HTTP 302 redirect except if this is exactly to the same domain (not even a subdomain). And as there’s a high risk of information disclosure, beware of session tokens and cookies passed transparently with the redirect. You should know that HTTP targets can be tweaked and information taken by malware transparent proxies and even by malicious DNS.

Moreover, if really want to achieve this, you could either as stated use “Off” option for an SSL at Cloudflare.
Disable the option Automatic HTTPS redirection and disable the option Always use HTTPS option.
Also, in your htaccess file add this:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

Flexible SSL option does the thing (from your origin to Cloudflare end and from Cloudflare to the end-user) as described in this article:

Great article here also:

This topic was automatically closed after 29 days. New replies are no longer allowed.