Still seeing https requests to my server despite Flexible SSL and "Always Use HTTPS" turned ON

james.hargreaves · 2018-10-11 06:59:03 UTC

Hi all,

I have numerous websites running through Cloudflare and I use Flexible SSL setting with them all and “Always Use HTTPS” is turned ON.

My expectation is therefore that all requests to my server would be HTTP not HTTPS. However, I am seeing quite a few HTTPS requests hitting my server (which I am unable to serve hence the requests return an error).

Can someone explain how these requests are getting through?

Thanks
Jay

MarkMeyer · 2018-10-11 17:22:33 UTC

In case all records for your webisite are set to it could be direct IP access or access to a hostname from your provider. Something like vhost12345.provider.com

james.hargreaves · 2018-10-11 19:31:48 UTC

Thanks Mark.

I’m seeing occasional direct connections to my server IP, but mostly it’s connections to one of the domains I host and they are coming through Cloudflare, eg:

HTTP_ACCEPT’: ‘text/plain,text/html,/’,
‘HTTP_ACCEPT_ENCODING’: ‘gzip’,
‘HTTP_CF_CONNECTING_IP’: ‘66.249.69.24’,
‘HTTP_CF_IPCOUNTRY’: ‘US’,
‘HTTP_CF_RAY’: ‘468273565f895606-ORD’,
‘HTTP_CF_VISITOR’: ‘{“scheme”:“https”}’,
‘HTTP_CONNECTION’: ‘Keep-Alive’,
‘HTTP_HOST’: ‘www.mydomain.com’,
‘HTTP_USER_AGENT’: ‘Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html))’,
‘HTTP_X_FORWARDED_FOR’: ‘66.249.69.24’,
‘HTTP_X_FORWARDED_PROTO’: ‘https’,
‘PATH_INFO’: u’/robots.txt’,

Note I’ve changed “mydomain” above.

They’re not always from Googlebot, some seem to be genuine requests from users, eg:

‘HTTP_USER_AGENT’: ‘Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16’,
‘HTTP_X_FORWARDED_FOR’: ‘208.87.233.140’,
‘HTTP_X_FORWARDED_PROTO’: ‘https’,
‘PATH_INFO’: u’/npm/[email protected]/dist/jquery.min.js’,

Although actually this looks a bit weirder still, as it appears to be a request for a CDN-hosted JS file coming to my server!

james.hargreaves · 2018-10-11 19:33:44 UTC

I use Apache and only have one site configured for SSL on my server, hence all these requests end up there and my application throws a wobbly because the incoming domain doesn’t match what it’s expecting.

james.hargreaves · 2018-10-15 12:39:16 UTC

Just wondering if there are any thoughts? As (I think) @sandro said, everything coming through Cloudflare should be HTTP not HTTPS, given I have enabled Flexible SSL.

sdayman · 2018-10-15 13:10:51 UTC

I’ve always suspected some bots and whatever are bypassing Cloudflare and hitting your server’s IP address directly.

james.hargreaves · 2018-10-15 14:12:08 UTC

I’m seeing the Cloudflare headers though. Do you think the bots are setting those too? I guess I could tell by looking at the incoming IP?

sdayman · 2018-10-15 15:23:06 UTC

Then that’s a good question for Cloudflare Support. If it’s Flexible, then all Cloudflare requests should be on HTTP.