Why the "location" entries in the http headers are not rewritten when "Automatic HTTPS Rewrites" is active?


Why the “location” entries in the http headers are not rewritten when “Automatic HTTPS Rewrites” is active? The problem with those not being rewritten is that, if “Always use HTTPS” is in use, if the user enters the site through a https link but gets redirected to a http location, they will, after having arrived at the http location, be redirected once again, this time to the desired https location. If “location” entries were rewritten by default by CloudFlare this wouldn’t happen and only one redirection would take place.

Is there any good reason for it to be this way? If not, can this be fixed?


Are you using Cloudflare’s SSL flexible mode?


Yes, I am. But, just to be clear, I’m not facing this problem, but rather the opposite, as the origin redirects to http, not https, this being the reason I would like CloudFlare to rewritte the “location” entry to https.


The underlying issue is that your server is seeing a http:// connection, not a https:// connection, so this is ultimately correct. Cloudflare does send a signal to the web server indicating whether the client sees http:// or https://, allowing your server to act accordingly.

Cloudflare also appends an X-Forwarded-Proto header, which can either be http or https depending on the protocol the user used to visit the site, like this:

“X-Forwarded-Proto: https”

NOTE: This header is really only relevant when the Flexible SSL setting is used. When Flexible SSL is set and a visitor requests to Cloudflare over HTTPS - Cloudflare requests to the origin over HTTP. In that scenario the origin server can tell that the visitor was using HTTPS by inspecting this header.


Yes, I do know that the connection between CloudFlare and the server is done through http, but this is not my point. What I’m really curious about is why CloudFlare doesn’t rewrite the location entry. Why “Automatic HTTPS Rewrites” doesn’t takes place in this case?


“Location” it is assembled by your server which knows the protocol, hostname, path, etc. Because the final connection comes in using HTTP, this is what everything on your server will see.

Automatic HTTPS Rewrites is different, this rewrites the body of your response so that assets you reference which are http:// but could be https:// will be rewritten to https:// – Sites on the HSTS preload list are a good example.

This won’t impact how your server sees the incoming request, only the content the browser receives. You need to use Cloudflare’s protocol header to determine what protocol was visible from Cloudflare’s side.

closed #7

This topic was automatically closed after 14 days. New replies are no longer allowed.