Newbie - HTTPS external to HTTP internal

What is the name of the domain?

weird you need this for a community question

What is the error number?

N/A

What is the issue you’re encountering

I have a B2B app I am writing and want their inbound calls from their app to be HTTPS internally be HTTP on my LAN

What steps have you taken to resolve the issue?

I thought this happened by default, but it isn’t.
I have a set up a Network tunnel (Account | Zero Trust | Networks | Tunnels) and se tup a connector.
I thought that was all I needed to do.
The local app is listening for http traffic on a port. The cloudflared service works fine
BUT the external calls to the set up domain are still http.
I am sure i am missing something simple. Help please

See

1 Like

Thank you Paul. It is definitely a case of knowing too little…

The case describes my situation perfectly and the answer seems very clear:
Laudian “If you want Cloudflare to redirect to https, you need to enable automatic https redirects (or create a Redirect Rule).”

I just can’t find out how to do “enable https redirects” - literally can’t find the option, Eventhough I found a page about it. When I read the page about enable redirects it wrote like http would convert into https and so it would still be a https coming into my local server.

So then onto “or create a Redirect Rule” - and there are lots of options and again I can’t see where to actually access this.

I’m sorry for being so dense, but can you direct me to the option from the top level… log into account… for either or both that will get me there.
Thanks again for you patience.Jason

If your domain is registered with cloudflare you can set this under ssl in the control panel. If it is with some else then are you using a cname record ? Then it is a web site setting to force the redirect.

It is a cloudflare registered domain.
So it must just be me that finds the UI confusing as you don’t get a breadcrumb trail to where you are… I can’t see “control panel” from Account or Domain. I did find Rules | Templates though under the domain.

There is one template: Redirect from HTTP to HTTPS
which is going in the wrong direction as I need it to convert https → http.

Again, thank you for your patience and excuse my ignorance.
Jason.

Sorry Jason I confused you thought you wanted to go from HTTP to HTTPS. If you want your local application to run HTTP then this is set in the tunnel config.yml file which you should find in your Cloudflare directory. You can specify the protocol for the URL locally

url: http://localhost:8080

OK, I haven’t dealt with any config files, I’ve been doing it all through
Cloudflare Account | Zero Trust | Networks | Tunnels | Your Tunnels where I followed the instructions and created a tunnel:
Subdomain: something
Domain: The Cloudflare registered domain
Path: empty
Service:
Type: HTTP
UTL: Localhost:myPort

I had changed this to Type: HTTPS, but of course that broke as my local system (server app) is only capable of HTTP.
It appears changes made to this section on the portal are pushed to the client.

So if a https request comes into CLoudflare https://subdomain.domain.co.uk/myPage
should it be automatically converted to http as it transits cloudflare to LAN process with no further action? I want to basically only allow external access to the end point using https.#
TIA Jason.

Hi Paul,

I checked on the machine that is being cloudflared and it only has the cloudflared.exe and it is being run as a service “C:\Program Files cloudflared.exe” tunnel run --token …

I need to check again as my settings weren’t very hygenic and I was testing basic Get’s which I guess CF were caching. I might search Youtube to see if anyone has done a walkthrough. I don’t know if Cloudflare has had a UI refresh since some of the docs were written, but it certainly isn’t clear.(well to me).

So if you or anyone can do me a step by step (where to go in the web portal), that would be great.
Jason

Hello Jason,
I use the CLI method which is different but also have a problem. Working on this at moment and I agree CF docs are confusing. If I get a chance I’ll try via the dashboard let you know.

Thank you for your time on this Paul. I’m a developer and I realise I am probably using a sledgehammer to crack a nut in terms of the breadth of the cloudflare offering and so it is like learning french to order a coffee at a french cafe :-).

It must be a fairly common use case… I want one https’d public facing access that is secure till ti gets on my LAN and then I am happy it is http.

Regards,
Jason

You should really fix this in your app, not on Cloudflare. Somewhere in your app, you are making an HTTP request.

An HTTPS redirect does not make the connection more secure, because that first request is a vector that an atacker can use for man in the middle atacks.

Apart from that, you can find more information on the redirect here: Always Use HTTPS | Cloudflare SSL/TLS docs

1 Like

Hi @Laudian

So the “client app” is a 3rd party and they should / will be making HTTPS requests
HTTPS → Cloudflare → tunnel (or whatever the correct term is) → Cloudflared → LAN HTTP to my app listening on that port.
I was hoping that HTTP traffic would be blocked i.e. HTTP → Cloudflare.

I need to do some more testing and read your reference. The reason I am using CF is so that I don’t have to punch a hole inbound in my firewall and have to deal with HTTPS / certificates etc.

Does all that make sense. Thanks for your time.
Jason

Thanks for the link - I have read this one before and from reading it implies:
HTTP → HTTPS → so then it is delivering HTTPS traffic to my app, which my app can’t currently deal with.

Have I got that right?

No. This option will cause Cloudflare to respond with an HTTPS redirectwhen someone makes an HTTP request to Cloudflare. It does not affect how traffic arrives at your server.

1 Like

:slight_smile: I thought that was what I was saying - nearly.

So do you know how to get the effect I need:
HTTP → this can be blocked OR HTTPS redirect, I don’t really care.
HTTPS → cloudflares kit → Cloudflared app on LAN → HTTP to the designated port (on the same machine as the cloudflared).
Is that possible / easy?

Regards,
jason

I thought you already had that all running? Or do you need any assistance to get the tunnel running? It is fairly easy and works exactly as you described. All that is left to do is to activate Always use HTTPS, or create an HTTPS Redirect or a WAF Rule that blocks HTTP traffic.

Enabling Always use HTTPS would be the easiest.

2 Likes

So now I revisit this I have it all working, i.e. Always Use HTTPS. Thank you both for your patience. Regards JAC
… till the next question…

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.