Still seeing https requests to my server despite Flexible SSL and "Always Use HTTPS" turned ON

Hi all,

I have numerous websites running through Cloudflare and I use Flexible SSL setting with them all and “Always Use HTTPS” is turned ON.

My expectation is therefore that all requests to my server would be HTTP not HTTPS. However, I am seeing quite a few HTTPS requests hitting my server (which I am unable to serve hence the requests return an error).

Can someone explain how these requests are getting through?

Thanks
Jay

In case all records for your webisite are set to :orange: it could be direct IP access or access to a hostname from your provider. Something like vhost12345.provider.com

Thanks Mark.

I’m seeing occasional direct connections to my server IP, but mostly it’s connections to one of the domains I host and they are coming through Cloudflare, eg:

HTTP_ACCEPT’: ‘text/plain,text/html,/’,
‘HTTP_ACCEPT_ENCODING’: ‘gzip’,
‘HTTP_CF_CONNECTING_IP’: ‘66.249.69.24’,
‘HTTP_CF_IPCOUNTRY’: ‘US’,
‘HTTP_CF_RAY’: ‘468273565f895606-ORD’,
‘HTTP_CF_VISITOR’: ‘{“scheme”:“https”}’,
‘HTTP_CONNECTION’: ‘Keep-Alive’,
‘HTTP_HOST’: ‘www.mydomain.com’,
‘HTTP_USER_AGENT’: ‘Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html))’,
‘HTTP_X_FORWARDED_FOR’: ‘66.249.69.24’,
‘HTTP_X_FORWARDED_PROTO’: ‘https’,
‘PATH_INFO’: u’/robots.txt’,

Note I’ve changed “mydomain” above.

They’re not always from Googlebot, some seem to be genuine requests from users, eg:

‘HTTP_USER_AGENT’: ‘Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16’,
‘HTTP_X_FORWARDED_FOR’: ‘208.87.233.140’,
‘HTTP_X_FORWARDED_PROTO’: ‘https’,
‘PATH_INFO’: u’/npm/[email protected]/dist/jquery.min.js’,

Although actually this looks a bit weirder still, as it appears to be a request for a CDN-hosted JS file coming to my server!

I use Apache and only have one site configured for SSL on my server, hence all these requests end up there and my application throws a wobbly because the incoming domain doesn’t match what it’s expecting.

Just wondering if there are any thoughts? As (I think) @sandro said, everything coming through Cloudflare should be HTTP not HTTPS, given I have enabled Flexible SSL.

I’ve always suspected some bots and whatever are bypassing Cloudflare and hitting your server’s IP address directly.

I’m seeing the Cloudflare headers though. Do you think the bots are setting those too? I guess I could tell by looking at the incoming IP?

Then that’s a good question for Cloudflare Support. If it’s Flexible, then all Cloudflare requests should be on HTTP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.