Htaccess redirect http to https but NOT for CloudFlare

I have same apache server responding both to Cloudflare requests, but also to some sites that are NOT going trough Cloudflare.

My understanding is that Cloudflare always makes requests to my server IP address over http and redirecting ALL requests to https at htaccess level is what is causing a redirect loop.

I am trying to test in htaccess if the request is from Cloudflare and NOT direct http to https in that case.
I tried this:

RewriteCond %{HTTPS} off
RewriteCond %{ENV:HTTP_CDN_LOOP} !cloudflare
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE,R=301,L]

But it still creates an infinite loop, maybe the variable %{ENV:HTTP_CDN_LOOP} is wrong ? Any other way to do this ?

Later edit: correct htaccess variable format seems to be %{HTTP:CDN-LOOP}

Whether Cloudflare uses HTTP or HTTPS for Origin fetch is determined by the “SSL Mode” you have set in the Cloudflare Dashboard. If your Origin has a valid certificate for the host names, then set the mode to “Full (Strict)” and Cloudflare will only talk to your origin using HTTPS. The Rewrite rule is redundant if you do this, and it is the recommended way to have Cloudflare talk to your Origin.


But I think https is slower than http (no ?!) and the data transmitted is not sensitive, mostly static content.

I think somebody made a website about that.

1 Like

Still… I don’t want to deal with issuing SSL certs on multiple servers. (just one of the many reasons).
Anyone knows if it can be done by htaccess as in my initial post ? :confused:

This one seems to work %{HTTP:CDN-LOOP}

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:CDN-LOOP} !cloudflare
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE,R=301,L]

Then my Cloudflare sites had http in browser address, I had to enable “always use https” in Cloudflare panel, which confuses me a bit, I thought Cloudflare sites always had https by default in browser.

If someone thinks I messed things up, let me know please :slight_smile: I am trying for hours and things got really confusing :scream:

You have, but you seem adamant not to follow best practices it doesn’t seem like it matters.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.