Problem with HTTP <-> HTTPS redirects

I made a page rule to exclude one folder from the HTTP -> HTTPS redirection, but it’s not working.

When I open an URL from that folder via HTTP, it redirects it to HTTPS, then back to HTTP and it continues redirecting back and forth in an enldess loop until the “too many redirects error appears”:

This is the URL I’m trying to open via HTTP:

http://svipopusti.hr/.well-known/test.txt

This is the page rule I have setup to disable HTTPS for that folder:

Besides that, I have only one other page rule, which is ordered below this one:

I’m pretty sure the problem is not on my server side, because when I disable CF proxy for the domain svipopusti.hr, and set it to DNS Only, the problem doesn’t occur, and the files inside the “.well-known” folder can be loaded over HTTP. When I turn the proxying back on, the problem returns. Also, it works on the subdomain which is permanently setup to DNS Only:

http://direct.svipopusti.hr/.well-known/test.txt

Here are the response headers for the HTTP <-> HTTPS redirections:

Please help, what am I doing wrong?

The issue will be that you set SSL to Off in your first page rule. This implies a redirect from HTTPS to HTTP, however at the same time you seem to have “Always use HTTPS” which redirects from HTTP to HTTPS. Hence you will get two redirects from two different layers on Cloudflare.

There is a solution for this but first I’d like to clarify why you’d like to disable HTTPS in this case. As I said, the origin does serve the file via HTTPS as well.

I need HTTP access because cPanel AutoSSL tries to access a file in the .well-known folder when it’s renewing the SSL certificate. It does so via HTTP and it fails to renew when the URL is redirected to HTTPS.

Please share the solution. If there’s a way to remove the HTTP -> HTTPS redirection only for the .well-known folder by using Cloudflare without doing redirects on my server, that would be a charm!

Thanks

Does it? Hmm, alright.

In that case you will probably have to change your approach and disable the global “Always use HTTPS” setting and set that via the second page rule instead. Otherwise the request will always be redirected to HTTPS, which you obviously dont want.

I’ve seen this requirement before, so I’ve disabled “Always Use HTTPS” in the SSL Edge Certificates section. My sites already have HSTS enabled, and are on the HSTS preload list, so browsers won’t even try HTTP, but SSL verification still has HTTP access to the server.

The second page rule doesn’t allow me to set “Always use HTTPS”,
when I try to add it it’s disabled (sshot below).

Do you know why?

It appears that setting can only be used on its own because of the eventual redirect.

Add an addtional third rule between #1 and #2 for http://*svipopusti.hr/* where you only enable Always use HTTPS.

Yes, I tried both with and without disabling the global “Always
use HTTPS”.

So to have HTTPS redirect enabled for everything except one
folder, I need to have three different page rules…

Isn’t that an overkill?

  Something as simple as that should be able to work by setting the

“Always use HTTPS” on globally, and then setting it off in one
page rule. Doesn’t that sound more reasonable?

No, because you cannot disable that setting, only enable it.

You actually only need two, the third one is unrelated.

I think I’ll go with redirects on the server. It’s much easier than setting up three different page rules.

Thank you for your help.

Alright, though you would have had two anyhow, you just need one additional one to enable that feature.

I encountered this problem with letsencrypt cert renewals too. And my server firewall is routinely blocking port 80. So when I renew I open the firewall, then pause Cloudflare. Do the cert renew before restoring the firewall and CF. Since I do the renewal manually it’s only a couple more steps.