Forced HTTPS even when SSL disabled

I use Cloudflare as my domain NS and a blog hosted on DigitalOcean (1 click ghost) with SSL signed by Let’s Encrypt.

Over the course of many new droplets and configuration attempts I encountered the following problems:

CF universal SSL enabled and set at Full:

  • mydomain(dot)com reached error 526
  • ip address reached error 526

CF SSL set at Flexi:

  • mydomain(dot)com reached error 526
  • ip address encountered too many redirect

CF SSL disabled:

  • mydomain(dot)com forced to visit via https which was “not secure”
  • ip address works but internal links were defaulted to https

Any idea what’s going on? Thank you!

Check if your origin server is blocking/refusing traffic:
curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

Replace example.com with your domain and 123 with your origin ip

It gave me this

[email protected]:~# curl -svo /dev/null --resolve MYDOMAIN:443:123.123.123.123 https://MYDOMAIN/
* Added MYDOMAIN:443:123.123.123.123 to DNS cache
* Hostname MYDOMAIN was found in DNS cache
*   Trying 123.123.123.123...
* TCP_NODELAY set
* Connected to MYDOMAIN (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [209 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2548 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [365 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [102 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=MYDOMAIN
*  start date: Dec 28 02:54:21 2018 GMT
*  expire date: Mar 28 02:54:21 2019 GMT
*  subjectAltName: host "MYDOMAIN" matched cert's "MYDOMAIN"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55fa7e1e7810)
} [5 bytes data]
> GET / HTTP/2
> Host: MYDOMAIN
> User-Agent: curl/7.58.0
> Accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200
< server: nginx/1.14.0 (Ubuntu)
< date: Fri, 28 Dec 2018 04:11:21 GMT
< content-type: text/html; charset=utf-8
< content-length: 21705
< x-powered-by: Express
< cache-control: public, max-age=0
< etag: W/"54c9-NErgES+1f7GMgt54hnIbqrKxchs"
< vary: Accept-Encoding
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
<
{ [7930 bytes data]
* Connection #0 to host MYDOMAIN left intact

CF SSL disabled.
Looks fine over console but when I try mydomain.com in browser it’s still error_redirect_too_many_times
Visiting via ip still works

HI @zhuzihao, sorry you’re still having issues. I’m not able to recreate the redirect error nor the results of your curl. I’m getting a connection refused and am seeing a 522 in the browser. Can you verify you’re using the correct origin IP address, that Cloudfare IPs are whitelisted, and that your host is not blocking/rate limiting Cloudflare? If you are able to share the domain, other folks may be able to assist.

1 Like

Sorry for the late reply.

I have removed the previous droplets, I believe that’s the reason for your connection refused.

I have now started a new host on 159.65.140.24

I have whitelisted Cloudflare IPs and the host is definitely not blocking/rate limiting Cloudflare.

Currently it’s still stuck in a redirect loop for domain visit zhuzihao.me, accessible only via IP

SSL still signed by Let’s Encrypt but I noticed Cloudflare just offered an origin certificate which I will try installing to see if it fixes the issue

[UPDATE] Cloudflare origin certificate does not solve the problem

You need to set your SSL mode to “Full strict”.

Omg. That worked o.O

MANY THANKS though I really am quite lost as to why this is happening…

You had it set to Flexible (which on its own is a mistake :slight_smile: ) which made Cloudflare connect to your server via HTTP, but then you sent a redirect to HTTPS, which was forwarded to the browser, which (despite already being on HTTPS) complied and sent another HTTPS request, which was once more transformed - by Flexible - into plain HTTP and which took us back to square one.

2 Likes

Ah I see what’s happening. Somehow I’ve missed out on the Full Strict mode while trying every mode out there…

This topic was automatically closed after 30 days. New replies are no longer allowed.