Redirection loop : wrong SSL config?

Hi everyone,

Sorry to disturb, but i’ve looked in many places and it seems I can’t resolve this issue…

My website https://5aconseil.com/ seems to be in a redirect loop, could you please help me out to solve it ?

Here are my Cloudflare configuration for SSL :
https://drive.google.com/open?id=1zQ-arwYTTcTujpEVomT9a8n6Swl-JwuJ

I don’t have a SSL certificate on my hosting (1&1 / ionos), since it cannot have one when I’m using Cloudflare’s Nameservers.

Lastly, in case this might be of any use : this website is a Wordpress, with WP Rocket installed (and, i hope, properly set).

Would there be anyone to help me solve this :-/ ?

Thanks

Bastien

1 Like

Assuming your server IP address ends in 58, it would appear as if your server is not configured for HTTPS.

Hi Sandra,

Thanks for your reply. Indeed my server IP ends with …58, so that could be the problem.

However, I’m sorry but I dont understand how I could fix this - i’m a bit new to this… :-/

  • Cloudflare manages our nameservers.
  • My hosting (ionos aka 1&1) cannot provide SSL certificate if nameservers are not theirs
  • Because of this, I chose :
    _ Cloudflare provides the SSL certificate.
    _ On Cloudflare, I chose the “Flexible SSL” setting, since it appears to be the correct one for this situation. Here is what is written about this “flexible SSL” :
    Flexible SSL: You cannot configure HTTPS support on your origin, even with a certificate that is not valid for your site. Visitors will be able to access your site over HTTPS, but connections to your origin will be made over HTTP. Note: You may encounter a redirect loop with some origin configurations.

So, if I understood correctly : indeed my server (with IP ending with …48) is not configured with SSL, but since all requests goes through Cloudflare DNS they handle the SSL from the client to Cloudflare. Then, it’s not secured (well, i can’t) but it should work anyway, isn’t ?

Bastien

Cloudflare handles HTTPS between them and your visitors but - in your case - the connection between Cloudflare and your server is still unencrypted and hence insecure. Flexible is an option that should never - or only in a handful of extreme situations, with a very very good reason - be picked.

Can your host import a certificate if you provide one? If so, you could get an origin certificate from Cloudflare. If that still is not possible I’d strongly advise to switch to a different host who is able to provide a secure environment.

1 Like

Hello Bastien

Then, it’s not secured (well, i can’t) but it should work anyway, isn’t ?

  • Yes, it works.

As @sandro said with flexible SSL traffic between Cloudflare servers (which act on your behalf) and your server remains insecure. It means whatever is transferring, can be read and/or tamper by intermediate nodes (routers, gateways…).

But there are cases when this security is not the concern of website owner and a image on visitors browser serves the purpose.

If you are gonna choose Flexible SSL it is OK as long as you know the consequences. Most hostings support Let’s Encrypt free SSL if there is not an option to import yours (you can use a self-signed SSL but it is not recommended due to MITM).

I am terribly sorry, but I would have to disagree with these two paragraphs. Whether security is of no concern is not only the administrator’s decision but also the visitor’s. In this context it is not only about security but also privacy. With Flexible the user is robbed of that choice, respectively is not even aware of what is going on.

Flexible is (almost) always a bad choice and should never be selected. As you rightfully said, there are plenty of opportunities to get a certificate - paid and free - and if a host really does not offer it, it is a wise decision to leave that host at the earliest opportunity.

There is a reason why there is an entire community tip on that subject :slight_smile:

1 Like

When it comes to privacy, client is trusting the website owner, so even in a Full SSL scenario, server can be compromised (which is much easier than intercepting traffic for external bad actors) and beyond that, IMO any information which becomes digital is not private anymore (I have dozen examples of systematic stealing of user info but this short video is enough).

Flexible is (almost) always a bad choice and should never be selected

  • Then it should be removed from Cloudflare panel.
1 Like

Which is what we are pushing for (sorry, @cloonan!), it should at least not be presented as 1 of 3 equal options in the dashboard.

1 Like

That is a different subject though. We are talking here about transport security and privacy.

I agree, it should and I have been advocating this for quite some time.

For the meantime, please join me at https://community.Cloudflare.com/t/header-indicating-encryption-status-of-the-origin-connection/55546

1 Like

Whoever put that option there was clever and pragmatic.

Sorry, I politely have to disagree in this case :slight_smile:

2 Likes

Hi guys,

Thanks a lot for your feedbacks, you’re all obviously much more knowledgable than I am (:-)) and I enjoyed reading your debate !

My problem is that my hosting doesn’t allow a SSL certificate if they dont manage the nameservers as well. Since I need to change these nameservers in order to use Cloudflare, I am facing these options :

  1. not using Cloudflare, so I can have a SSL certificate directly on our website
  2. using Cloudflare (and thus their nameservers), and have “flexible SSL” with a SSL certificate from Cloudflare.
  3. changing hostings : well, I am the CFO and administrator of a rather small company so I don’t know if I will have the time to do that, especially considering we have ≈100 emails users (these will be the most painful to transfer to another hostings)

As such, and even if I understand the concerns and problems you wrote about “Flexible SSL”, I still think it would suit me best :smiley:

By the way, if anyone find it useful : I found this article about how to properly set “Flexible SSL” with a Wordpress. Since I didn’t do any of this, my guess is that this will explain why I had the “redirect loop” in the 1st place.

So, i temporarily disabled Cloudflare for the time being (so my website currently works with both http and https), and I will follow what the article says before putting Cloudflare back on.

I hope it will work, then :slight_smile:

Anyways, thanks a lot to all for your valuable feedbacks !

2 Likes

This is a little odd, I get that their AutoSSL can sometimes not work in these circumstances, but even if you can provide your own certificate, they won’t let you upload it?

1 Like

Assuming your host refuses to offer SSL I would go for option three and hire someone for the migration.

I am afraid, but Flexible really is not a good choice. You basically do not have a secure site at this point, but yet give your users the impression you do.

Again, I’d contact the host and try to clarify what options you have to configure SSL in your situation. If they cant issue a certificate on their own, they should at least be able to import one that you provide.

Of course it is eventually up to you to decide what route to go but I cant stress enough how bad of a choice Flexible is.

Well I can upload my own certificate, but not for shared hosting (and we are on shared hosting)

I’d still try to come to an agreement with them. If not now, they will have to offer it anyhow in the future.

This topic was automatically closed after 30 days. New replies are no longer allowed.