Page Rule for 302 redirect still active after removal?

wordpress

#1

Hi I just moved my wordpress site mydomain.com domain from Incapsula over to Cloudflare and enabled flexible ssl and installed cloudflare wordpress plugin. The front end of site works fine with always HTTPS enabled.

But the wp-login.php url is going in a redirect loop with 302 status when accessing HTTPS version of site

here’s non-https curl header

curl -I http://mydomain.com/wp-login.php 
HTTP/1.1 301 Moved Permanently 
Date: Tue, 24 Oct 2017 08:04:26 GMT 
Connection: keep-alive 
Cache-Control: max-age=3600 
Expires: Tue, 24 Oct 2017 09:04:26 GMT 
Location: https://mydomain.com/wp-login.php 
Server: cloudflare-nginx 
CF-RAY: 3b2b6ce0c3b68454-ATL

it redirects 301 to properly HTTPS version

but curl header for HTTPS version is doing a 302 temp redirect to HTTPS thus causing a redirect loop

curl -I https://mydomain.com/wp-login.php 
HTTP/1.1 302 Found 
Date: Tue, 24 Oct 2017 08:04:28 GMT 
Content-Type: text/html; charset=UTF-8 
Connection: keep-alive 
Set-Cookie: __cfduid=db3468d3a4385f519e54425195181fa001508832268; expires=Wed, 24-Oct-18 08:04:28 GMT; path=/; domain=.mydomain.com; HttpOnly; Secure 
Location: https://mydomain.com/wp-login.php 
X-Powered-By: centminmod 
Server: cloudflare-nginx 
CF-RAY: 3b2b6cef994c5e8e-TPA

I do not have any 302 redirects in my nginx vhost. I checked via a recursive grep of nginx conf directories

grep -rn 302 /usr/local/nginx/conf/

But prior to setting always HTTPS, i did temporarily try a page rule with forward 302 redirect to HTTPS version

*.mydomain.com/*

set to

forward 302 to https://mydomain.com/$2/

but i removed that rule and cleared cache and even tried development mode and still HTTPS version of wp-login.php at https://mydomain.com/wp-login.php
HTTP/1.1 302 Found is giving a 302 temp redirect via curl header checks which aren’t subject to browser level caching.

  • Is the old page rule forward with 302 still stuck ?
  • I have opened a cloudflare support ticket but not getting anywhere so far.
  • Was wondering if anyone else experienced this where a page rule even if removed is stuck or similar issue with wp-login.php doing a 302 redirect ?

#2

I believe Flexible SSL is causing this. Something in your site is demanding SSL, but Cloudflare is using HTTP. Do you have this in your wp-config file?
define(‘FORCE_SSL_ADMIN’, true);

The best solution would be to configure SSL on your server and use Full or Strict.


#3

Original wordpress site is non-HTTPS only so there isn’t any FORCE_SSL_ADMIN set in wp-config.php and pretty use a 302 temp redirect is coming from the page rule at cloudflare level as there is no 302 redirects in original nginx backend server.

But yeah probably need to setup origin with HTTPS and just use cloudflare full ssl instead of flexible to see if that helps.


#4

@sdayman cheers

Seems setting up HTTPS on origin backend and switching from flexible ssl to full ssl fixed it !

curl -I https://mydomain.com/wp-login.php
HTTP/1.1 200 OK
Date: Wed, 25 Oct 2017 13:58:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dfdff9e23b62fc4720f42be604178da301508939918; expires=Thu, 25-Oct-18 13:58:38 GMT; path=/; domain=.mydomain.com; HttpOnly; Secure
Vary: Accept-Encoding
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/; secure
X-Frame-Options: SAMEORIGIN
X-Powered-By: centminmod
Server: cloudflare-nginx
CF-RAY: 3b35b11dad0791d6-EWR