I tried google and I found zero information for this problem with cloudflare

I have a website with Cloudflare that I needed to force “HTTP”

Recently chrome keep redirecting my website to HTTPS. TLD : net, buzz

And if I try to put https to http redirect code in my page it cause infinite redirect loop.

I tested it on static txt file, basic htaccess, basic nginx/httpd settings to rule out any redirection issue from my server settings.

My website is not on the HSTS preload list, I have tried to disable cache/security, automatic https redirect and everything that could possibly cause the issue on my Cloudflare page rules.

Tried development mode.

I have check my server log and I found nothing useful.

I have flexible SSL option in Cloudflare and I do not have any setting for HTTPS on my server.

The only thing I found about this issue is

Request URL: hxxp://xxxcom/z.txt
Request Method: GET
Status Code: 307 Internal Redirect (from disk cache)
Referrer Policy: strict-origin-when-cross-origin
Cross-Origin-Resource-Policy: Cross-Origin
Location: hxxps://xxxcom/z.txt
Non-Authoritative-Reason: DNS

I don’t quiet understand the above headers, does that mean chrome target all website with Cloudflare dns to be possible to load with HTTPS only?

Or is there anything I can do to fix this?

I have tried to change dns for my internet, I have also tried to use domain without Cloudflare, and this problem does not exist if my domain is not on Cloudflare.

Thanks

May I ask have you tried using a different Web browser, or tried clearing your Web browser cache?

Today’s standards are quite good and secure. Unfortunately, there are some services which might require using insecure setup and a HTTP.

That’s also available for other Web browsers too nowadays, especially if you are using an option like “HTTPS-only”, from what it means you cannot open any HTTP website, only HTTPS.

They might do default HTTP to HTTPS redirection, or throw some warning, if so.

More about it can be read at the articles from below:

So you don’t haven an SSL certificate at your origin host, neither configured virtualhost file for any HTTP to HTTPS redirection?

Useful posts I’ve found and sharing here for some better insight and overview:

Make sure the SSL/TLS option is set to Off rather than any other.

Furthermore, make sure you’re not using Automatic HTTPS Rewrites, nor Always Use HTTPS, nor any other HTTPS related option as like HSTS preload and similar available at Cloudflare dashboard.

Helpful article:

What about “Always Use HTTPS” in Edge Certificates? Is that on? If that’s on, proxied traffic will always redirect to HTTPS. As far as I can tell, it can’t be turned off via page rule, although if it’s turned off for the whole domain, it can be selectively turned back on via page rule.

Also have you tested using curl instead of a browser? Do curl -I http://example.com/ to see the response & if it’s a redirect or not; if it is a redirect the headers will also give you hints about whether it was initiated by Cloudflare or your origin server. Curl also doesn’t honor HSTS or any other kind of automatic HTTPS switching (but it will follow redirects if you use the -L option)

1 Like

It only happen for chrome browser, I have tried other major browsers they do not have this problem, this is why I suspect google targeted Cloudflare dns to make all the domain in Cloudflare only accessible via HTTPS, base on the header.

I don’t have SSL certificate at my origin host, and no configuration of HTTPS for my virtualhost files for several years now.

I mentioned I turned off everything in Cloudflare that could potentially cause the problem. I even create a page rule to point to that specific txt file to turn off everything, still the same.

My Chrome is using secure connection set to off (default).

This is one of the example I found hxxpwww.elitescorthatunDOTcom/ad-category/antalya-escort/ , it is not my website but you can check if you want.

Always Use HTTPS is the first setting I look and its already turned off when I first checked.

Curl looks normal, the problem definitely only happen on chrome, and sites hosted with Cloudflare.

curl -I hxxp://d.txt
HTTP/1.1 200 OK
Date: Thu, 04 Aug 2022 16:49:16 GMT
Content-Type: text/plain
Connection: keep-alive
X-Accel-Version: 0.01
Last-Modified: Thu, 04 Aug 2022 16:30:05 GMT
ETag: W/“7777b0-5e56cdcafe907-gzip”
Vary: Accept-Encoding,User-Agent
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
CF-Cache-Status: DYNAMIC
Report-To: {“endpoints”:[{“url”:“https://rt/v3?s=xxxxx”}],“group”:“cf-nel”,“max_age”:604800}
NEL: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
Server: Cloudflare
CF-RAY: 111111111111111-AMS
alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400

Chrome has gotten really aggressive about HTTPS upgrades and seems to try to upgrade as long as port 443 is open, even in circumstances when there’s not a valid SSL cert (kinda frustrating)

With proxied traffic, even if port 443 is closed on your server, port 443 is always going to be open on Cloudflare’s proxy so not much you can do about that

That alt-svc: h3=“:443”; ma=86400, h3-29=“:443”; ma=86400 header might warrant further investigation

I wonder if stripping that out with a Transform Rule would change anything HTTP Response Header Modification Rules · Cloudflare Rules docs

Also just to be absolutely certain you did search your domain on https://hstspreload.org/ to make sure you’re not on the list, right? Even if you never submitted, if you had the necessary Strict-Transport-Security header set at some point, someone could have submitted the domain without your knowledge.

The 307 redirect is coming from your browser cache.