I was somehow able to access http:// when I set a page rule to force https:// on every part of the domain

ssl
pagerules

#1

So, I went to my website at 3:28 PM and I was somehow able to access http:// when I set a Cloudflare page rule to force https:// on every part of the domain (even sub-domains)…

I verified that this happened by going to cPanel -> Visitors and sure enough there was a log saying my ip accessed the site using http:// and not https:// (screenshot below)

(the second listing that says “faded.pw” is only shown when http:// is accessed by an ip, it usually only shows “faded.pw (SSL)” because my Cloudflare page rule redirects all traffic to https://)

Here’s the page rule I set:

I’m wondering how this happened as I set a page rule to force https:// and do I have to worry about security now?


#2

Which page was that? I see the redirect on my end on the home page…

You can remove the http:// in front of the rule, it’s not necessary even if it doesn’t actually cause harm…


#3

it was the home page (https://faded.pw)


#4

Then it’s fine on my end. Can you repeat the problem?


#5

Hosts file, origin host cached in DNS or Cloudflare paused would be the mostly likely causes.


#6

Thanks for your post


#7

Thank you so much for this. I was into this issue and tired to tinker around to check if its possible but couldnt get it done. Now that i have seen the way you did it, thanks guys
with
regards


#8

There are two related but separate connections you can force over HTTPS.

User to Cloudflare
Cloudflare to Origin

Your page rule sets the first, so users are forced to talk to Cloudflare over HTTPS.

But you probably have SSL Mode set to ‘Flexible’. Set this to ‘Strict’ on the Crypto tab (impacts all your Orange clouded DNS entries) or set a page rule to be a bit more granular. This will force Cloudflare to make all requests to your backend over HTTPS.

There is also a setting on the Crypto tab for ‘ Always use HTTPS’ that will force HTTPS for all Orange cloud hostname also, without a page rule.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.