Prevent Https on some url

In Cloudflare I have one domain with some sub-domains. For some reason we must use the Flexible* SSL mode and activate the Use HTTPS always so we don’t miss anything setting .htaccess or vhost.conf files on every sub-domain

All our sub-domains works fine

The thing is that I need one url for one of those sub-domains to work with HTTP and not HTTPS

So I create a page rule:

ssl = off
https automatic rewrites = off

When I go to that sub-domain, it works fine, with the HTTPS, but when go to that page, then it fires the HTTPS too

  • Why Flexible? I have this to Full at first, but some sub-domain is in a server outside our control, and they don’t want or can’t use the Full way that needs to install the free TLS certificate that Cloudflare provides. So we move entire domain to Flexibe and generate own certificates (no big deal because we used this way for many time anyway)

If you can’t use SSL you should use “Off”. By using “Flexible” you are pretending to have a secure site when you don’t and lie to your visitors.

I have Let’s Encrypt certificates on all sub-domains, including the one I have issue. Thanks for asking

I have this way a year before we use Cloudflare (I manually renew certificates every 90 days)

Those two pages I need via HTTP are for an API that are not public, just for some particular stuff, nothing to do with our clients

If all of your Origins have valid certificates, set the SSL mode to Full (Strict), and enable “Always Use HTTPS”.

Then for the URLs that need to be available over HTTP, create page rules that set Always Use HTTPS to Off. This will override the zone level HTTP-HTTPS redirect.

1 Like

I kind of wish the flexible option was removed, it kind of challenges the purpose of cloudflare to accomplish a safer internet IMHO.

1 Like

Absolutely, the whole purpose of browsers requiring SSL for certain features is defeated by it.

Has been discussed endlessly (even a feature just for more transparency) but there is no movement from Cloudflare’s side, so I guess this is not going to change any time soon.

1 Like

Plus, it allows owners and hosts to continue being careless about security and not offer any encryption at all or just broken certificates.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.