DDOS protection for an only HTTP site

Hello everyone! I have a problem, my site is constantly getting a DDOS attack, every day, at a fixed time. The DDOS attack will continue from 22.00 to 00.00.

I installed cloudflare protection but the problem is that my site doesn’t work on https. If you visit my site via https, it will automatically redirect to http. I can’t move my site to https in the future either.

When I installed your protections, I saw the problem “ERR_TOO_MANY_REDIRECTS” in the browser. And the site did not open. This problem was caused by the sequence https->http->https->http->https. How can this problem be solved with just HTTP itself? HTTPS should not interfere at all.

tldr; You need to turn off Universal SSL to have an operating http-only website under Cloudflare.

When Universal SSL is enabled, Cloudflare will publish a DNS record of type 65, known as HTTP Resource Record. Cloudflare started generating these records for any zone with Universal SSL enabled almost 3 years ago, and most browsers — among them Chrome, Safari, Edge, and Firefox — have recently started to redirect to HTTPS any site for which they see the HTTPS-RR. It works similar to HSTS, except it’s DNS-based, instead of header-based. Currently, the only way to have Cloudflare stop publishing the HTTPS-RR for your domain is by setting SSL/TLS to Off and turning off Universal SSL.

So what happens with your zone is that browsers are internally redirecting to https, only to have your origin redirect back to http. When you turn off Universal SSL, Cloudflare immediately stops generating the HTTPS RR, and requests with http:// will be sent to the origin unaltered. (At the same time, without Universal SSL, you won’t be able to redirect from https to http.)

You can see the HTTPS-RR for your zone with the command:

dig example.com -t type65 @


Thank you! I tried. It worked!


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.