Still seeing https requests to my server despite Flexible SSL and "Always Use HTTPS" turned ON

james.hargreaves · October 11, 2018, 6:59am

Hi all,

I have numerous websites running through Cloudflare and I use Flexible SSL setting with them all and “Always Use HTTPS” is turned ON.

My expectation is therefore that all requests to my server would be HTTP not HTTPS. However, I am seeing quite a few HTTPS requests hitting my server (which I am unable to serve hence the requests return an error).

Can someone explain how these requests are getting through?

Thanks
Jay

MarkMeyer · October 11, 2018, 5:22pm

In case all records for your webisite are set to it could be direct IP access or access to a hostname from your provider. Something like vhost12345.provider.com

james.hargreaves · October 11, 2018, 7:31pm

Thanks Mark.

I’m seeing occasional direct connections to my server IP, but mostly it’s connections to one of the domains I host and they are coming through Cloudflare, eg:

HTTP_ACCEPT’: ‘text/plain,text/html,/’,
‘HTTP_ACCEPT_ENCODING’: ‘gzip’,
‘HTTP_CF_CONNECTING_IP’: ‘66.249.69.24’,
‘HTTP_CF_IPCOUNTRY’: ‘US’,
‘HTTP_CF_RAY’: ‘468273565f895606-ORD’,
‘HTTP_CF_VISITOR’: ‘{“scheme”:“https”}’,
‘HTTP_CONNECTION’: ‘Keep-Alive’,
‘HTTP_HOST’: ‘www.mydomain.com’,
‘HTTP_USER_AGENT’: ‘Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html))’,
‘HTTP_X_FORWARDED_FOR’: ‘66.249.69.24’,
‘HTTP_X_FORWARDED_PROTO’: ‘https’,
‘PATH_INFO’: u’/robots.txt’,

Note I’ve changed “mydomain” above.

They’re not always from Googlebot, some seem to be genuine requests from users, eg:

‘HTTP_USER_AGENT’: ‘Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16’,
‘HTTP_X_FORWARDED_FOR’: ‘208.87.233.140’,
‘HTTP_X_FORWARDED_PROTO’: ‘https’,
‘PATH_INFO’: u’/npm/[email protected]/dist/jquery.min.js’,

Although actually this looks a bit weirder still, as it appears to be a request for a CDN-hosted JS file coming to my server!

james.hargreaves · October 11, 2018, 7:33pm

I use Apache and only have one site configured for SSL on my server, hence all these requests end up there and my application throws a wobbly because the incoming domain doesn’t match what it’s expecting.

james.hargreaves · October 15, 2018, 12:39pm

Just wondering if there are any thoughts? As (I think) @sandro said, everything coming through Cloudflare should be HTTP not HTTPS, given I have enabled Flexible SSL.

sdayman · October 15, 2018, 1:10pm

I’ve always suspected some bots and whatever are bypassing Cloudflare and hitting your server’s IP address directly.

james.hargreaves · October 15, 2018, 2:12pm

I’m seeing the Cloudflare headers though. Do you think the bots are setting those too? I guess I could tell by looking at the incoming IP?

sdayman · October 15, 2018, 3:23pm

Then that’s a good question for Cloudflare Support. If it’s Flexible, then all Cloudflare requests should be on HTTP.

system · November 14, 2018, 3:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.