SSL "Too many redirects" problem when using Cloudflare via Midphase's cPanel tool


#1

I have a website hosted by Midphase, and they provide Cloudflare as part of their standard cPanel tool set, which I’ve been using very successfully for a number of years now.

I recently decided that I really ought to add SSL / HTTPS security to my site (as it contains a small forum, and I’m not comfortable with users having to create accounts and log in with unencrypted passwords, etc).

I successfully generated and installed a Let’s Encrypt SSL certificate on the site (www.portorleans.org by the way) and set up standard .htaccess redirects as follows, which seemed to work fine at first:

RewriteEngine on
# ensure www.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ensure https
RewriteCond %{HTTP:X-Forwarded-Proto} !https 
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

However after a day or so I started seeing “Too Many Redirects” errors, particularly with forum posts which include embedded [IMG] images linked from the site’s main Gallery, which historically will have been saved using the the original “http://” format of the site URL. I’m not especially worried about the mixed content reports in these older forum-generated pages, but I do obviously want the linked images to still be displayed to all users. (The rest of the site doesn’t have this problem by the way, as all of my own hand-coded pages use relative URLs, so they automatically pick up the https: format from the overall page URL)

I Googled the issue and the general advice seems to be to force Cloudflare to use ‘Full’ or ‘Full(Strict)’ SSL as opposed to ‘Flexible SSL’, but there is no option to configure that feature on my Cloudflare Settings tab in the Midphase cPanel.

I have just added <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> to all my page headers which should help with mixed-content pages for about 80% of browsers, but presumably that won’t solve the problem for the other 20% of users (hard for me to test though, as I don’t have any of the non-compatible browser variants on my systems).

I currently have Cloudflare turned off via the cPanel Settings, so everything is now working fine again (with SSL), but I’d obviously like to be able to reactivate Cloudflare as soon as possible - but without risking any more Redirect errors.

Any thoughts? Thanks.

Andre


#2

You don’t need an htaccess rule to forward to HTTPS. You should set this in Cloudflare’s Crypto settings for “Always Use HTTPS” and “Automatic HTTPS Rewrites”. This should fix the redirect loop.

And, as you suspect, Flexible SSL is the culprit. Flexible means Cloudflare is using HTTP to your site, but your site is redirecting to HTTPS, which Flexible won’t do. You need to enable Full. Contact Midphase to see if they can fix this.


#3

Yes, so as I thought I will need to find how to adjust the Crypto setting and also change Flexible SSL to Full.

I’ll contact Midphase too, and ask them if they know how I can get access to the full range of controls rather than the subset in their cPanel implementation.

Andre


#4

I’ve had a reply from Midphase offering to sell me an expensive premium package, saying that their cPanel interface does not support SSL via Cloudflare (even though it actually works fine, apart from being unable to tweak a required setting). Sharks, basically.

The only way to implement an ssl with our version of cloudflare is to purchase cloudlfare plus from us and get the ssl from us. If you got an ssl from elsewhere youwill need to sign up for a free account at cloudflare and get your configuration done through them.

So it looks like I’ll need to set up a free account on Cloudflare and connect my website to it. How straight-forward is that when I’ve already got an option in Midphase (which I’ve been using for years, but is currently disabled)?

Andre


#5

For now, see how much of Cloudflare you can turn off and undo at Midphase.

Then do a manual setup here. Do you already have access to the Cloudflare dashboard here? Here are some steps:


#6

This topic was automatically closed after 14 days. New replies are no longer allowed.