HSTS & PageRule Problem

M4rt1n · November 5, 2020, 5:52am

It always is optimal and recommended by Google to have as few redirects as possible.

So if my page is hosted on:

https://www.domain.de

I want to redirect all other options ( http & www || http & !(www) || https & !(www) ) to HTTPS & www with just one single redirect.

It normaly just takes one single redirect for ALL options, but the one with HTTP & !(www) as it would go like this:

http:// domain.de => https:// domain.de => https://www domain.de as it first have to resolve the SSL cert before hitting the application.
Also these redirects then are done on Serverlevel, not at CloudFlare.

Thats the reason why I implemented this PageRule:

http://domain.de/* => 301 => https://www.domain.de/$

This works fine, but as soon as you activate HSTS it will not redirect from http://domain.de to https://www.domain.de in one step, but again in two steps, as HSTS kicks in earlier and first redirects to HTTPS.

This is not optimal.

What I would like to have:

Redirecting ALL other options to the target within just one single redirect and this should be done on CloudFlare, as it will redirect faster the earlier it is done, and if done at CloudFlare its definitely faster compared to the case it would have to hit my server.

What exactly is the problem?
Just on one domain (HTTPS & www) this problem exists as this is the only possible (normal) usecase where we would have 2 redirects:

HTTP => HTTPS
!(www) => www

How to solve this problem?
Would be easy if CloudFlare would allow logical operators in their rewrite rules like:

AND, OR, NOT, NOR

So we could dynamically define one Rule for redirects which applies to ALL usecases, or if CloudFlare would provide one special additional redirect rule for the maindomain combined with www as this very often is the usecase to have a FQDN and not just a QDN, which in some cases makes sense.

Maybe there is even a way to modify the HSTS config so it (on the maindomain http://domain.de) is not redirecting to https://domain.de but to https://www.domain.de directly.

But 2 redirects for this is not optimal.

Hope we can finde a solution that works with HSTS and just needs one rewrite to go from:
http://domain.de => https://www.domain.de

floripare · November 4, 2020, 2:46pm

As far as I understand how HSTS works, once you visit your site for the first time with any given browser after enabling HSTS, that browser will make an internal redirect in all subsequent HTTP requests. Being an internal redirect, it’s done before the request ever reaches either Cloudflare or your origin server. Also, it should be ultra fast, so you shouldn’t be worried about performance impact.

M4rt1n · November 4, 2020, 2:56pm

True. Just doublechecked it, its done internally.
Anyway logic operators would be awesome.

As how it is right now, then the redirect from:

https://domain.de => https://www.domain.de is getting done by my origin server. Would be nice if PageRules like this would be possible:

http(s)://(www.)domain.de => 301 => https://www.domain.de as this would redirect ALL traffic to the choosen domain (without looping ofc!) but atm I would have to use ALL 3 PageRules to solve just this problem

cscharff · November 4, 2020, 2:55pm

Which has nothing to do with Cloudflare. HSTS isn’t a Cloudflare thing it’s a browser thing and no rule set in Cloudflare is going to effect that.

cscharff · November 4, 2020, 2:58pm

If the root domain is behind Cloudflare then Cloudflare is doing the redirect based on the page rule you described. If the root isn’t behind Cloudflare then the page rule has no effect because Cloudflare isn’t proxying the traffic.

More complex / conditional redirect logic can be done using workers. Some great examples of that @ developers.cloudflare.com

cscharff · November 4, 2020, 3:00pm

It’s one page rule. *domain.de/* -> https://www.domain.de/$1

M4rt1n · November 4, 2020, 3:02pm

My domain is proxied by CF, its just that I think its a normal usecase that people want their traffic redirected to the choosen domain.

There is a “Always on HTTPS” option. Would be cool if there would be an option that could match:

//domain.de => //www.domain.de

Would be $2 but anyway this will redirect ALL subdomains aswell, I have tried it, its does not match the usecase.
The rule should JUST apply if it it the domain itself. so regex would be https?://domain.de

cscharff · November 4, 2020, 3:02pm

Or I guess that might be overly agressive. Turn on Always Use Https and then 1 page rule domain.de/* -> www.domain.de/$1

M4rt1n · November 4, 2020, 3:03pm

But this would again result in 2 Redirects

cscharff · November 4, 2020, 3:07pm

Ok then don’t turn on Always use HTTPS. The rule still works as written for both http and https requests to the root.

er… domain.de/* -> https://www.domain.de/$1 which I think is in the examples here: Redirect example.com to www.example.com

system · November 13, 2020, 2:42pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.