Why doesn't java detect https on my cloudflare url?

dash-crypto
#1

I’m trying to setup a redirect on some of my websites from http to https.

I’m doing this programatically in java, because I have a number of websites running in the same servlet container/web app, and only some of them are hooked up to cloudflare, so only some of them can use https.

The coding seems quite simple:

String requestURLLower = req.getRequestURL().toString().toLowerCase();

if ( isCloudflareSite && requestURLLower.startsWith("http:")) {

    StringBuilder requestURL = new StringBuilder(requestURLLower);
    System.out.println("Got requrl lower " + requestURLLower + " scheme " + 
    req.getScheme() + " is secure " + req.isSecure());

    String queryString = req.getQueryString();
    if (queryString != null) {
        requestURL.append('?').append(queryString);
    }

    String link = Strings.replace(requestURL.toString(), "http:", "https:");

    System.out.println("RURLLOWEr redirecting to " + link + " from " + 
    requestURL);

    res.setStatus(301);
    res.setHeader( "Location", link);
    return;
}

When I run this code, the browser redirects too many times and gives an error.

The initial url I put in the browser was https itself: https://www.xxx.com.au/xxx?page=hello

The output from the program after entering that exact url in my browser is this:

Got requrl lower http://www.xxx.com.au/xxx scheme http is secure false
RURLLOWEr redirecting to https://www.xxx.com.au/xxx?page=hello from 
http://www.xxx.com.au/xxx?page=hello

And this output was repeated about 20 times from the one page load.

Am I missing something really obvious here, or is java not detecting the protocol?

The only thing I can think of is that it is related to the https being provided by Cloudflare.

#2

Your SSL status is most likely Flexible, which makes Cloudflare connect via HTTP. That is pretty insecure and you should definitely switch to one of the two Fulls (preferably strict) but this will also require you to configure a certificate on your servlet container (assuming there is no other server in front of it).

Also, you might rather want to use req.isSecure().

#3

Hi Sandro,

Thanks so much for your help.

As you can see from the code and output above, isSecure() also returns false. Did you expect it to return true?

I will have to research what you are saying about SSL as I don’t know about it… will do that now!

thanks

#4

Hi Sandro,

It was indeed set to flexible.

But on that page, I found something that I was trying to do myself.

" Always Use HTTPS

Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone."

That’s exactly what I want, so I’ve changed the setting to always use https.

I’m a bit confused though by your comment “which makes Cloudflare connect via http”. Maybe you mean Cloudflare is connecting to Sportspunter.com through http, but the user is connecting to cloudflare through https. Is that the way it works?

How will google see my website with the “flexible” and “always use https” settings in cloudflare - as using https, or not?

thanks again!

#5

Yes, this is correct.

Visitors will still see your site with :ssl:, as will Google, however is it only partially secure and therefore not recommended. You can read more at:

#6

thanks so much guys, it all makes sense now!

regards

1 Like
closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.