Does the website redirect unencrypted traffic from HTTP to HTTPS?

I’ve been working for a while now to setup a secure Apache installation that includes utilizing many of the Cloudflare services. I have been testing with the Cloudflare diagnostics and am still getting a few errors that don’t make sense. One of them is “no_redirect_to_https” being the message the diagnostics gives to the topic of this post. I have apache setup to redirect http traffic for my domain “thecarrock.com” to the https version. All other online tests I can find say it is working correctly. My own internal test shows this:

curl -I http://thecarrock.com
HTTP/1.1 301 Moved Permanently
Date: Wed, 17 Nov 2021 05:33:17 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Wed, 17 Nov 2021 06:33:17 GMT
Location: https://thecarrock.com/
Report-To: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=Pr0cqH6oyravDooUu93S0Vx45wl268B0aIvW8OWnEODzBGYjPeNK4cIrXvtgQ%2BXvqi3E0ewP5u1A5hsMOII6%2FpjE3xn9gNvIFhuWvNNF5D6SI8bWA1ZvXwbEOGRp7FAlsw%3D%3D"}],“group”:“cf-nel”,"max_age”:604800}
NEL: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 6af6955a3bb10fe4-ATL
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

So despite having my own redirect setup on the webserver and “Always use HTTPS” enabled in the SSL/TLS section of the control panel, I still get the answer to the above topic question in the Cloudflare diagnostics as “no_redirect_to_https”.

This is one of two or three errors I’m getting with the Cloudflare diagnostics that are in direct contradiction to other tests. I’ve poured over the apache logs in detail, re-examined every configuration, and still cannot explain it. I suspect the Cloudflare diagnostics are not giving reliable results. Can anyone else confirm this from their own experiences?

Hello, I have asked myself the same question, and carried out several tests, apparently when a redirection is made from http to https, it counts as not secure, differentiating it from connections by TLS, look at this:

image

image

My configuration is:

image

Finally i forced it on the server, and I still have connections according to cloudflare not secure.

They recommend not forcing from the server, as it slows down, the ideal according to Cloudflare is to do it from the client to Cloudflare.

" While protecting your site with Cloudflare, it is not recommended to redirect to your origin web server:

Page Rule redirects are processed at the Cloudflare endpoint, leading to a faster response and reduced requests to your server.
Redirects from the source web server can cause redirect loop errors. "

Look this:

https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https

https://support.cloudflare.com/hc/en-us/articles/200170476

I’ll keep exploring,thanks.

This is probably related to the previous error message in the Diagnostic Center. You are blocking some of the tests in a WAF rule, so Cloudflare cannot get a successful HTTPS request.

Redirecting from http to https is probably no good if you do not eventually end up getting a 200 status. In your case, Cloudflare are getting a 403 on the HTTPS request.

You will always have some level of ‘not-secure’ connections. If you are using “Always Use HTTPS” they will result in a 30X redirect, so it is not an issue, but the HTTP request will still be made and recorded. I have domains that have been HSTS preloaded for years, are only used as asset domains (so no user types in the URL in their browser) and I still get ~0.4% HTTP requests.

1 Like

I’m not certain what a WAF rule is, but I’m assuming you’re referring to some kind of firewalling. I’m looking into this as a possibility. I’ve tried disabling all my Cloudflare firewall rules, disabling the IDS system on my own premise firewall, and disabled the webserver firewall and fail2ban daemons. Then I ran the diagnostics and received the same results. I’m fairly certain this is not a firewalling issue.

Do you have Super Bot Fight Mode enabled?
If you look at the Firewall Logs you might see the requests being logged, and the log will give the reason it was blocked.

That was a good idea. I hadn’t considered the Super Bot Mode. I tried turning it off and waited about 15 minutes before testing. I’m still getting the same errors.

All of the other tests I’m using are coming up with positive results. I had thought maybe there was something obvious I was missing or that this was a known issue with the diagnostics. Most everything in my firewalling and LAMP install are fairly standard configurations and shouldn’t need special considerations for a simple online diagnostic tool.

I appreciate all of your help, but I don’t think this is worth pursuing any further. Thanks!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.