For performance reasons (poor 2g/3g connections on a ancient PDA), or because I have a HTTP cleartext only AJAX api that isn’t under my control, my static site doesn’t work with HTTPS. It has no state or auth functions. I added a custom domain to a clouldflare pages site, my SSL setting is set to flexible on the WAF/zone/proxy/domain side. Since CF pages internally lives on a .dev domain, I kno there is no chance for cleartext HTTP to work with the randomly generated .dev domain. If I add my custom domain to my CF pages site, I get 301 redirects from HTTP to HTTPS. If set SSL on the zone to OFF from flexible, I get a “too many redirects” fatal error from chrome (301 loop). Is there a way to get CF pages to serve over HTTP cleartext? If I need to write a custom CF worker to proxy HTTPS static content to HTTP, I’d probably move on from the CF Pages product to a different host.
You can’t call insecure sites from a secure one (So no HTTP calls from HTTPS). You also should not ever disable SSL anyway. The best solution to this is fixing that API to use SSL.
You should also set your SSL mode to Full (Strict).
I’m not sure why you’re trying to make the whole site not secure rather than just fixing the security issue at your API here. That is the much better solution
It’s not my API, any attempts to change it will result in the free (legacy) API being removed or a talk with a sales representative for a five-digit provider agreement with a custom API key. It’s old enough that JSONP works. No session/customer/cookie info is transmitted over the wire. Either I write a CFW to wrap cleartext to HTTPS, or have a static site in cleartext that does the XHR/JSONP call. HTTPS to the API server results in 404 not found. HTTP GET / and HTTPS GET / result in two different websites. It’s not up for debate why the API is set up the way it is since its not my API and they want a provider agreement for their newer platform. legacy platform is iPlanet webserver and Coldfusion UI. Its not for debate on upgrades to their API at this point. if the legacy server is turned off, well, my site can’t be free anymore because of referrer check and CORS limits on new feed. my static site is a far better UI with less taps and less visual noise than the coldfusion legacy UI.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.