SSL with Apache reverse proxy

New to Cloudflare … I been having issue with setting up a server to host dotnet App. here my Server Setting.
Linux Ubuntu , Apache ( Reverse proxy ) , Dotnet Core , Asp.net app. Let's Encrypt SSL .
setup on my server works …with minor issue ( mixed content blocking) , was suggested to use Cloudflare to solve this problem.
I followed instruction on Cloudflare , Changed NS , and A , CNAME are set to Proxy.
SSL set to strict.
Options such as Always use HTTPS is on ( default ) . however, I get Too many Redirect issue.
disabling this , my site no longer protected. the only way to protect the site . I have to enable rewrite module and add Rewrite condition into my Vhost to upgrade all connection to SSL . doing this also cause issues with cloudflare .So im totally at lost , how i can configure my server to work with cloudflare .
I have read tons of info , but yet each article or response seems to be more confusing.
any suggestion would greatly appreciated.
I am sure there is something wrong with my server configuration , but yet , I can not figure it out.
Apache modules that are currently loaded are , mod_proxy, mod_proxy_http , mod_ssl , mod_rewrite.
I also have mod_headers , but i just turned that off to see if that will help as i been using it to solve some CSP issues ( mixed content blocking ).
Thanks.

What is the domain name? (As you say you are using Full (strict) already).

domain name is supplysolution.ca , at this point is not working due to too many redirect issue. disabling ssl on cloudflare restarts the site …
I am just clicking here and there hopping something will give . i gave up … :smirk:

Are you changing the settings now (or in the last few minutes?). I’m getting a variety of results, from 526 errors, to redirects from https to http, and others.

Can you set the configuration to “Full (strict)”, “always use HTTPS” on, “Automatic HTTPS rewrites” on, and leave it there.

If you haven’t changed anything, can you show your DNS records?

https://cf.sjr.org.uk/tools/check?f14698f45a7b4165865a2cdf5bdabcbd
https://cf.sjr.org.uk/tools/check?8b599900d89b48bdbc77c3dfedbefbf7

Sorry for that.
I enabled all the setting you have suggested. site working ( kinda ) because on the back end i had to enable few modules ( rewrite , headers ) …
and DNS , is Gray Cloud not proxied.

You will need to proxy the records for Cloudflare to affect the traffic (apply HTTPS redirects and rewrites, and so on). Otherwise Cloudflare is just DNS and traffic is going direct to your origin.

1 Like

Assuming things are now stable with your settings, the problem is your origin is redirecting https:// to http://. Then Cloudflare is redirecting http:// to https:// (because of “Always use HTTPS”), hence the circular redirections.

https://cf.sjr.org.uk/tools/check?66ead73769804c128b1e1b0866f2cde1#connection-server
(click the “headers” links to see what is happening)

You need to find where on your origin (in the Apache config or the scripting in the pages) the redirect https->http is happening and remove it.

Thanks.
I used the link provided on your last reply … here is the result
https://cf.sjr.org.uk/tools/check?ff4c433f2eeb4efcb0fb4930e6a8009b
it seems to be rewrite engine on my VHOST keep redirecting from http to https and back … this rewrite was entered into my VHOST block by Let’s Encrypt … so no clue if is good or not .

RewriteCond %{SERVER_NAME} =www.supplysolution.ca [OR]
RewriteCond %{SERVER_NAME} =supplysolution.ca
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=301,L]

My advice (other opinions are available, may be controversial, but for us we find this easiest and locks things down)…

  • once you have LetsEncrypt (did you use certbot?) working, then don’t allow it to mess with the Apache configuration again, use --cert-only
  • lock down your Apache configuration to just use HTTPS at the origin
  • remove HTTP handling and all the rewrites/redirects in Apache and do all that on Cloudflare (keeps the Apache configurations clean, simple and clear - but does mean you must always proxy through Cloudflare, bypassing Cloudflare means those redirects won’t work)
  • allow only Cloudflare IPs to access port 443, don’t open port 80 at all
  • when time comes to renew the LetsEncrypt certificate, use the DNS-01 challenge with the Cloudflare API plugin to update the certificate files.

Some alternate options are:

  • allow HTTP to the site so certbot can use HTTP-01
  • allow only HTTPS, but with exceptions for certbot to use HTTP for HTTP-01 challenges. That seems to result in a lot of pain given other threads.

[add] On occasions, as in the test link you posted, I’ve seen certificate errors. Assuming this is as the DNS is changing as you proxy/unproxy the records, this is coming from your origin. Double check your LE certificate is the correct one, is correctly set in your Apache config and is valid and not expired.

Thanks.
I disabled vhost:443 block , and still getting too many redirect , it sure is setting on apache that is wrong , I think is best to remove my site from cloudflare , put back DNS to original , try pull more hair off my head.and there is on small part of wall that is not broken yet … and try to figure with new SSL certificate …
this could as well be lets encrypt certificate . will try with self signed certificate , to see how this works.

Thanks.

It is a lot simpler and faster to just pause Cloudflare.

If using Full (strict) on Cloudflare, this will give an error. Full (strict) requires a valid, CA signed, certificate. You can temporarily use “Full” for testing, which will ignore the fact the certificate is expired or self-signed, but really shouldn’t be used for live sites.

Using self signed is just for testing why apache doing all that redirect … will not use that for live site .
i paused the Cloudflare . so i don’t have to go through Dns configuration again …
Thanks a lot for your help. is been 3 stressful weeks that I am at this trying to fix issues … and you been most help during this time .

1 Like

Regardless what I do , as soon as i turn DNS proxy on CF. i get 301 too many redirect … i have no redirect on server , mod rewrite is disabled.
CF setting > proxy DNS .
Full( strict )
Always use HTTPS on .
Disabled Cache … just so i can verify the site faster …
nothing helps .
any suggestion .
ps: Apache reverse proxy to Kestrel dot net application server in back end.
without CF sites works fine . with CF enabled too many redirect

Currently your site is not proxied so I can see the redirects on your origin have been removed since before.

I’m not a web developer, but I can see you have mixed content on the page, some of the selections link to http:// when the page is loaded as https://. Not sure if that may be a cause.

On Cloudflare you can fix this by turning on “Automatic HTTPS rewrites” here…
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

Also check you don’t have any redirects here…
https://dash.cloudflare.com/?to=/:account/:zone/rules
https://dash.cloudflare.com/?to=/:account/:zone/rules/redirect-rules

Double check that SSL/TLS is Full (strict).

Post back in you turn the proxy back on so we can check in detail where the redirects are coming from.

Thanks
enabled CF for the domain . DNS proxied
Edge Certificate set to Full ( Strict )
Alway use HTTPS is on …
site now in too many redirect …
I know for whatever reason , i get this mixed content … even though all the content are relative to the root and not hard coded with http … i have used CSP to fix this … it was only happening to single JS file.
I am not developer , i am using pre made web app , is in ASP .NET that requires apache reverse proxy to talk to upstream server ( kestrel ) … as i have mentioned that before , without CF site works …Ssl works and no issues , but just turning DNS proxy on , i get that error .

OK, so it’s back as it was. Quite strange. When Cloudflare is on, something on the origin side (I guess Apache) is redirecting https:// to http://, but not when it is off.

What is the apache proxy doing? Changing ports or pointing from a public IP to an internal one?

I’m just looking back at old tests on your site…

Did you turn on “Automatic HTTPS rewrites”?

Thanks for you help.
apache proxy request to internal application server pointing at localhost
Protocols h2 http/1.1
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:5000/
ProxyPassReverse / http://0.0.0.0:5000/

normally is set to localhost or 127.0.0.1:5000
but i found suggestion to setting to 0.0.0.0 might work . netstat shows application server dose listen to 127 loopback . this is how asp.net work…and i have no control over it .
i seen this app working on cloudflare … ( demo version online ) . but im sure they are using Window and IIS as this is native to Windows server .
however, as it is marked on developers site and MSDN .running on Dotnet Core , will work ( and is working ) on Linux as well Mac server without issue as long as full featured webserver acting as Proxy .

on Apache , i have 2 Vhost file and Enabled. one for port 80 which will redirect to Vhost for port 443…
I think this might be issue.
on Vhost:80 i have rewrite condition , to redirect to HTTPS … this also could be a reason , thus many redirect . but I have no idea , how to fix this as this seems to be defacto setup with Apache or Nginx . i don’t know if this helps .

Yes, I just thought that’s would you would be doing. I have the same for some applications (not on ASP, but on Linux boxes with applications listening on local ports only), those are working OK through Cloudflare (using 127.0.0.1).

Try turning off “Always use HTTPS” for the moment. Let’s see if it’s the backend producing http:// content that gets redirected back and forward.