Please document that SSL=Flexible creates infinitite 301-loops

#1

If you have a nginx server that properly redirects to https, you cannot have SSL=Flexible when you select Clouldflare as http-proxy. You will get an infinite 301 redirect request. You even get it if your request is https!

How hard can this be to solve from Cloadflare, just ignore the redirect from the origin server?

0 Likes

#2

Flexible is a bad choice per se. Generally it should never be selected.

Because the eventual request to your server is not on HTTPS.

How could it ignore the redirect? If it gets a redirect there is nothing else it can do.

Basic solution, never use Flexible. :slight_smile:

2 Likes

#3

I agree, and why doesn’t cloudflare say when I enable http-proxy something like “You have SSL=flexible and most likely your site is going to break if you select this!”

0 Likes

#4

There you go, well documented.

Get a certificate for your origin and use ‚Full (strict). Flexible is not 100% secure!

0 Likes

#5

Because it fully depends on your setup. As @MarkMeyer mentioned it is documented (I still would argue the “well” bit though :smile:) that Flexible will connect via HTTP.

Again, never ever pick Flexible. :slight_smile:

0 Likes

#6

After reading the documentation for flexible correct, I have misunderstood it. However, I think it would be trivial for cloudflare proxy to start talking https to the origin, if you get a redirect to the https-site.

0 Likes

#7

True, but this is not how it is designed right now. The SSL mode defines how Cloudflare talks to the origin.

But you are more than welcome to join me in my crusade against Flexible :smile:

1 Like

#8

It is trivial. As long as you have a certificate installed and your webserver is listening on port 443.

Flexible was designed to make use of (user facing) SSL easy. And it is, mostly. We’ve a discussion ongoing with CF staff about flexible SSL.

1 Like