We had a security scan run on our site and got mostly passing grades except for this one issue: when a visitor visits https-www.example-com, they are redirected to https-example-com. However, in the redirection, there is a step where it first redirects to http-example-com which then redirects to https. Is this standard practice? Is there a way to force it to redirect to https instead? (forward slashes omitted to allow post)
A CNAME is not a redirect. You can think of it like a nickname, not unlike someone named Robert who also answers to Bob. In order for the CNAME to work, Robert needs to know that he is expected to answer to Bob. Your Robert knows that he is also Bob, so you are good there.
This means that the current redirect from https://www.example.com to http://example.com is being performed by a redirect at your origin server. You can skip over that by deploying a redirect at Cloudflare that goes directly to the HTTPS version.
I initially thought the same; that the redirect was happening on the server somewhere. However, neither me nor the developer can see anything there that would be causing it. Additionally, if that were the case, how can the curl logs be explained (in the image)? It clearly shows the location as http and even the ray ID, cache status, endpoints etc. Am I misunderstanding what is happening there?
I am inclined to say yes. The Cloudflare proxy simply forwards what the origin server sends. You asked the Cloudflare proxy for https://www.example.com, which the Cloudflare proxy in turn requested from your origin server. Your origin server responded with the 301 to http://example.com and the Cloudflare proxy forwarded that response to your curl client.
If you haven’t restricted direct access to your origin server, you can test this yourself with: curl -Iiv https://www.example.com/ --connect-to example.com:443:192.0.2.1:443
(In addition to the obvious need to replace example.com with your actual domain, be sure to substitute your origin server IP for 192.0.2.1.)
Thanks again for the reply and thanks for your patience.
Can you elaborate on what I should expect to see with the curl command you provided if I have disabled CF on those 2 CNAMES?
I suppose what has me confused is curl is showing me the exact same response for http → https as it is for www → non-www, except the latter redirects to http before https despite there being no redirect rules in WP-Admin.
I expect that you will see the exact same 301 redirect that you see when connecting through Cloudflare.
While I do use WordPress, that would probably be among the last of the places I would look for a redirect, not because it couldn’t be there, but it just isn’t where I would put it. That is a function that I would expect your webserver to be handling directly. The reality is that there is more than one place such redirection could be employed. I am more interested in helping you find a solution than I am in accompanying you along a journey enumerating all of the possible redirect locations on your origin, no offense intended. If learning where it is happening is something that interests you, I applaud your desire to deepen your understanding and encourage you to pursue those answers, either on your own, or with the assistance of a more general webserver administration discussion forum.
To get a more efficient redirect from your www alias to your apex, you will want to configure the redirect target to be https://example.com rather than the current target of http://example.com where it then must follow another redirect to HTTPS. While it ought to be possible to configure such a redirect at your origin, that is outside the scope of discussion here. That is why I offered a link to the Redirect Rules (beta) Cheat Sheet since it would show you how to easily move the redirect to the Cloudflare edge which will not only result in a more efficient redirect, but also remove the burden of the redirect from your origin server.
Sorry, I should have been more clear. We are hosting on Wordpress (WPEngine I think is the official name), so I don’t have actual access to the server which would have made all of this easier (I wish I did). What I meant by I didn’t see any redirects there was in WP Admin or WP Engine admin, there aren’t any redirect rules that would account for https_www_example_com → http_example_com → https_example_com chain that is happening which is why I’m looking at Cloudflare as it is the only other service in the mix.
When I run that curl command you provided, I do indeed see the same redirect https_www_example_com → http_example_com:
At any rate, I added a redirect rule for if ssl is false, redirect to https_example_com but I am still getting the same response as above. If the redirect on CF were working correctly, should I see the curl response reflect that? i.e. if it were working, in the request in the image above, I should be seeing https_example_com instead of http_example_com in that first <reply section?
Sorry to keep double posting and harping, but this is twisting my mind. When I make the request in a browser, it shows the redirect response coming from and IP address that resolves to Cloudflare:
Of course your browser shows the response comes from Cloudflare. When you proxy your site through Cloudflare , your browser always connects to Cloudflare and Cloudflare then connects to your origin at WP Engine. That’s how it works.
You should realy pause Cloudflare. That should confirm to you that the HTTPS → HTTP → HTTPS redirect is occuring at WP Engine.
Once you have done that, you can re-enable Cloudflare and share the redirect that you have configured at Cloudflare, so we can make sure that you are specifying the HTTPS scheme in your target URL.
I probably should have mentioned that CF is handling my DNS as well if that might effect things. My domain nameservers point to pablo and zita ns cloudflare com.
I did as you suggested and paused CF on the site. Strangley, the next curl request works exactly as expected:
No. It could just as easily be (and likely is) your origin returning that response. But you can confirm this by pausing Cloudflare and testing as @epic.network suggested.
Thanks, but as I mentioned in my last post, I did exactly that and when paused, get the correct response.
I did, as mentioned earlier:
Does that look correct? Is there a better way to set it?
Again, I’ve looked everywhere I can in WP-Admin, WP-Engine admin and there are no redirections configured there. Is it possible that perhaps my DNS configuration is what is messing things up? As I said, CF is handling my DNS. For some reason (I think per WP directions), there is no A record, just a CNAME for example_com → wp_wpenginepowered_com and a CNAME for www → example_com. It looks like they recommend this method CNAME flattening so that WPEngine host updates can happen transparently.
No and yes. I am suggesting that you create a redirect rule for www.example.com to https://example.com with no concern for the scheme (that is http:// or https://). Lose the bit about if ssl is false. See number 2 in the Redirect Rules (beta) Cheat Sheet.
The original issue was that when requesting https://www.example.com you were being redirected twice, first to http://example.com, then to https://example.com
In the redirect tested with Cloudflare paused, you requested http://example.com and got to https://example.com, which was already happening in the second leg of the original request.
Please notice that in the screenshot of your initial request for https://www.example.com, APO responds with cf-apo-via: origin, resnok, which means it requested that URL to the origin and it returned a response that is not 200. If a redirect is being performed by Cloudflare, you’ll not see any cf-apo-via header on the 301/302 response, only when it lands on a 200.
You can add any Redirect Rule you want but as long as it lands on https://www and your origin is redirecting requests for https://www. back to http:// you’ll have that extra leg. You should follow @epic.network and @cscharff advice and create a redirect straight from https://www to https:// so that your origin is not touched in the process.
As for the origin redirect itself, it will only be an issue when Cloudflare is paused. It’s unfortunate that you do not have access to your origin server to find things out, but since it’s been established that this is an origin redirect, this issue falls outside the scope of this community I’d suggest you contact WP Engine and ask for further help.
, your browser always connects to Cloudflare and Cloudflare then connects to your origin at WP Engine. That’s how it works.