SSL Lock not appearing on site

After attempting to configure Cloudflare in front of a site that does not have HTTPS configured (and the developer will not support HTTPS) I have run into the issue that the HTTPS is not working with Cloudflare enabled.

The website is mvseacoast.com

The site is configured to use “flexible” SSL mode. However, when attempting to visit https://www.mvseacoast.com it returns a connection refused error. To me this would indicate that the unencrypted server is not being proxied by Cloudflare but instead the client is attempting to connect directly to the server which does not support HTTPS.

I’ve configured the following routing rules to attempt to understand the issue further and it appears that SSL is not working at all.

The route which has strict mode enabled should be returning an error from Cloudflare as the host does not have SSL enabled, but instead, the client is able to connect to the web server and get a 404 error instead.

I’ve attempted to force HTTPS on both an page that returns a 404 (/cloudflare2 route) and a normal site page (/about) and neither are connecting over HTTPS. In fact, a test of the site is indicating that that rule is not present at all: Test Results: mvseacoast.com - Why No Padlock?

Any thoughts on what is occurring here?

As a follow-up, this guide: Troubleshooting SSL/TLS issues helped diagnose the problem a bit further, it appears my computer is using the correct Cloudflare IP for the site, but my browser is still using the old site IP.

After trying it on a new computer, the new issue seems to be that https://mvseacoast.com/about is causing a redirect loop in which the origin server is redirecting HTTPS traffic to HTTP and Cloudflare is doing the opposite. This article seems to indicate that the “flexible” configuration is not compatible with a redirect from HTTP to HTTPS, but is the reverse the same (the origin server redirects HTTPS traffic to HTTP).

This seems odd to me as my understanding is that Cloudflare communicates with the origin server over HTTP when “flexible” mode is on, so the server should not be sending a redirect from HTTPS to HTTP.

Flexible SSL Mode is not secure. Please install a proper SSL Certifiate on your Webserver and change to Full (Strict) Mode.

Nope, thats your domain/ZONE.

Your Website actually is located at: www.mvseacoast.com which is a subdomain of mvseacoast.com

Not completely correct. In flexible mode, CloudFlare gets a request on HTTPS (:443) and is itself calling the origin Server on HTTP (:80). This setup is not recommended and is bad. Please do not use Flexible at all.

What I would recommend:

  1. install a proper SSL Cert on your origin. (Lets Encrypt or CloudFlares origin Cert)
  2. change the baseURL (and Links) of your application to HTTPS
  3. change SSL Mode to “Full (Strict)”
  4. do remove ALL of the PageRules above as you will not need any of them
  5. activate “Always use HTTPS” in your global Dashboard settings
  6. be happy having a proper encrypted page
1 Like

The current host does not support SSL, and we are not in a position to switch to a new host at the moment. I am simply looking for a temporary solution for an SSL certificate to be added to the site.

To your point:

this is also my understanding of how it works, however the server is sending a 302 redirect to HTTP which indicates that it is not working correctly. If the server is receiving the traffic over HTTP, it should not be sending a 302 redirect to HTTP which is causing the redirect loop.

There we got the error. If your server is sending this redirect the problem is actually located at your server.

May I ask for curiosity why this? Can not think anyway of any hosts worldwide which does not support SSL in 2021.
I would definitely not try to conceal the problem and first get a proper setup. But thats just my 2cents.

Also: if your Application does not support HTTPS you will not be able to change links to HHTPS (which is important) and therefore you will probably never get a green padlock.
If you can not change Links in your DOM to HTTPS this will produce mixed content and ‘break’ the green padlock.

1 Like

Yes happy to share! This is a boutique developer who insists that installing an SSL certificate on his apache server will take 40+ hours of work and lots of $$$. While I’ve never personally had it take any more than a few hours, we do not have any control over the backend and are not in a position at the moment to make any major switches. We are looking to proxy the server through Cloudflare to display an SSL certificate for cosmetic & SEO purposes (as the underlying server security cannot be improved on our end).

To me, it seems weird that the server is sending a redirect as my understanding is exactly what you said that Cloudflare communicates with the server over HTTP. If that is the case, I’m at a loss as to why the server is receiving the traffic as HTTPS traffic and attempting to redirect it (creating the redirect loop).