Always use HTTPS only for grey-cloud

I realize the definition of Always use HTTPS says

This applies to all http requests to the zone.

But I was still shocked to find out that it was redirecting GREY zone dns entries. Those should be direct, without Cloudflare in the middle, so how is it you are even capturing the request enough to redirect it?

Always use HTTPS should NOT affect grey-cloud dns entries.

It doesn’t / can’t as the traffic never routes through Cloudflare. Cloudflare rules & settings for WAF/ DDoS & CDN can only apply to records which are :orange:. Do you have :grey: record which is CNAMED to an :orange: record perhaps?

No its the same CNAME that my other records use, but third party.

My test was:

Setup new CNAME that I’ve not visited locally and make it :grey:
Turn off Always use HTTPS
Verify previously used CNAME was no longer redirecting to HTTPS.
Visited the new :grey: CNAME, was working fine HTTP
Turned on Always use HTTPS
Refresh browser window and the :grey: address redirected to HTTPS


I was testing

order CNAME to third party :orange:
www.order CNAME to third party :grey:

Just looking to make sure when silly people type www in front of the real cname that it still gets to the website, instead of the SSL error due to obvious reasons

interesting too because the SSL error is on the origin certificate, so I know its getting there, just not sure how its getting redirected to SSL first.

I just tested again by disabling Always use HTTPS and opening the www.order address up in a different browser - did NOT get redirected to HTTPS - so I would conclude there’s nothing on origin causing the redirect.

The site itself is sending back instructions that the site should only be over SSL I believe. The origin is sending this header: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

None of the DNS entries point to Cloudflare so I can’t see any way it would be going through our system or that a Cloudflare setting would have an impact on what the origin server responds with or the traffic to it.

Hmm HSTS only exists on one domain on that server. It is not enabled for any other, and if it were, toggling CF setting wouldn’t have any impact.

I agree, if we are :grey: then CF should have no say in it, but I’m still scratching my head on that one.

OK - I figured it out. It was HSTS on my server, it was served due to setting “FULL” on SSL when :orange: was on, then got stuck there as it should.

Reconfigured origin server to server HSTS only under the right conditions and the problem will go away for any domain not already"tainted" by HSTS

All good problem solved, thanks!

1 Like