Forced HTTPS even when SSL disabled

I use Cloudflare as my domain NS and a blog hosted on DigitalOcean (1 click ghost) with SSL signed by Let’s Encrypt.

Over the course of many new droplets and configuration attempts I encountered the following problems:

CF universal SSL enabled and set at Full:

  • mydomain(dot)com reached error 526
  • ip address reached error 526

CF SSL set at Flexi:

  • mydomain(dot)com reached error 526
  • ip address encountered too many redirect

CF SSL disabled:

  • mydomain(dot)com forced to visit via https which was “not secure”
  • ip address works but internal links were defaulted to https

Any idea what’s going on? Thank you!

Check if your origin server is blocking/refusing traffic:
curl -svo /dev/null --resolve

Replace with your domain and 123 with your origin ip

It gave me this

[email protected]:~# curl -svo /dev/null --resolve MYDOMAIN:443: https://MYDOMAIN/
* Added MYDOMAIN:443: to DNS cache
* Hostname MYDOMAIN was found in DNS cache
*   Trying
* Connected to MYDOMAIN ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [209 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2548 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [365 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [102 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=MYDOMAIN
*  start date: Dec 28 02:54:21 2018 GMT
*  expire date: Mar 28 02:54:21 2019 GMT
*  subjectAltName: host "MYDOMAIN" matched cert's "MYDOMAIN"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55fa7e1e7810)
} [5 bytes data]
> GET / HTTP/2
> User-Agent: curl/7.58.0
> Accept: */*
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200
< server: nginx/1.14.0 (Ubuntu)
< date: Fri, 28 Dec 2018 04:11:21 GMT
< content-type: text/html; charset=utf-8
< content-length: 21705
< x-powered-by: Express
< cache-control: public, max-age=0
< etag: W/"54c9-NErgES+1f7GMgt54hnIbqrKxchs"
< vary: Accept-Encoding
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
{ [7930 bytes data]
* Connection #0 to host MYDOMAIN left intact

CF SSL disabled.
Looks fine over console but when I try in browser it’s still error_redirect_too_many_times
Visiting via ip still works

HI @zhuzihao, sorry you’re still having issues. I’m not able to recreate the redirect error nor the results of your curl. I’m getting a connection refused and am seeing a 522 in the browser. Can you verify you’re using the correct origin IP address, that Cloudfare IPs are whitelisted, and that your host is not blocking/rate limiting Cloudflare? If you are able to share the domain, other folks may be able to assist.

Sorry for the late reply.

I have removed the previous droplets, I believe that’s the reason for your connection refused.

I have now started a new host on

I have whitelisted Cloudflare IPs and the host is definitely not blocking/rate limiting Cloudflare.

Currently it’s still stuck in a redirect loop for domain visit, accessible only via IP

SSL still signed by Let’s Encrypt but I noticed Cloudflare just offered an origin certificate which I will try installing to see if it fixes the issue

[UPDATE] Cloudflare origin certificate does not solve the problem

You need to set your SSL mode to “Full strict”.

Omg. That worked o.O

MANY THANKS though I really am quite lost as to why this is happening…

You had it set to Flexible (which on its own is a mistake :slight_smile: ) which made Cloudflare connect to your server via HTTP, but then you sent a redirect to HTTPS, which was forwarded to the browser, which (despite already being on HTTPS) complied and sent another HTTPS request, which was once more transformed - by Flexible - into plain HTTP and which took us back to square one.


Ah I see what’s happening. Somehow I’ve missed out on the Full Strict mode while trying every mode out there…

