What do I need to do before activating Automatic HTTPS Rewrites?


#1

It’s been suggested that my site should incorporate https. I see there’s a one-click option to do so, however, what do I need to do to my site before I activate the https? If I activate the slider, will my site work like it currently does, but just under https?


#2

If all the assets you include (CSS, scripts, images) are served locally and not from foreign locations, and you enable SSL on Cloudflare + URL rewriting that will re-write all URLs returned on your site from http:// to https:// - then in theory, that’s all you need to do. Ideally you won’t use URL rewriting and just use relative URLs everywhere in your code, so they’ll follow whatever protocol the page was loaded at. It will also make your links shorter :wink:

If you have assets loaded from external sources which are not HTTPS, you’ll have Mixed Content - which is not good. You both lose the security, and your padlock will show that: it will not be green. This is especially important if you do not control all the content that goes in - for example you include images from URLs provided by random users of your website.


#3

Everything on the site has been uploaded to the GD server by us and there’s no content allowed by users. So, there shouldn’t be anything from foreign locations.

I’ll have to ask the developer about the code, though. I don’t know how that was written, although I’m certain it’s just a WP template, so highly unlikely there’s anything special done.


#4

Well, as mentioned above, if you look at all URLs loaded on your pages, and they’re all on your domain (in Firefox there’s a really nice right click -> page info -> media for that), then, it should be OK. You can always… test. Just don’t enable HSTS before you’re sure it’s working great on all pages.


#5

Sooooo, I tried it, and it immediately took affect. However, it now just goes to a “future home of something quite cool” page rather than my site homepage.

Does this need a few hours to start working or do I need to undo it and have the code looked at?


#6

I think it may proxy to the origin as HTTPS and perhaps your server side does not have your site configured for access over HTTPS (even in an insecure way, i.e. without a trusted cert), but because the server IS configured for HTTPS (meaning, it answers requests over HTTPS, port 443), Cloudflare prefers it because it’s more secure.

So your server probably has a default configuration, that if one tries to access a port without the site being configured on it, it shows this landing page you’re describing.

If I’m right, then I think the proper solution is to get your site working on HTTPS at the origin as well, and that means that for now you need to disable on Cloudflare’s side.

How to validate my guess? Well, you can disable Cloudflare altogether, by clicking the orange cloud in DNS tab, so traffic goes directly to your server. Then, over HTTP things should work as normal, and, if you try https://yoursite - you should experience the same thing you’ve described even though Cloudflare are now not in the loop. If that’s the case, it’s not a code issue, it’s a configuration issue in your host.

BUT… you can try something much simpler first to prove this. Under “Crypto” tab, if your “SSL” mode is not set to “Flexible”, you could try setting to “Flexible”, and see if that helps. Note that this means that you’re only fake-secure: the traffic between your users and Cloudflare will be secure, but from Cloudflare to your origin - it won’t be - and whomever is eavesdropping on the way, or stealing your traffic altogether by various means - will succeed in doing so.


closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.