08

NOV

Forcing HTTPS Redirection and Cloud are’s Flexible SSL

POSTED BY GOMAH / SERVER TIPS

A couple of weeks ago, CloudFlare launched Universal SSL, making SSL encryption
available to everyone. 2 million sites have already signed up for the service.

It’s very easy to setup a Flexible SSL. It only takes only 48hours to be active.

But if you force http to https redirection on your website with the following normal
methods, a loop redirection occurs.

NORMAL HTTPS REDIRECTION VIA .HTACCESS

RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule .* https://%

{SERVER_NAME}%{REQUEST_URI} [R=301,L]

NORMAL HTTPS REDIRECTION VIA PHP

if($_SERVER["HTTPS"] != "on") { header("Location: https://" .

$_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); }
UNDERSTANDING THE PROBLEM

SSL between the visitor and CloudFlare — visitor sees HTTPS on your site, but no SSL
between CloudFlare and your web server. You don’t need to have an SSL cert on your
web server, but your visitors will still see the site as being HTTPS enabled.

There is an encrypted connection between your site visitors and CloudFlare, but not
from CloudFlare to your server.

The HTTPS condition from the htaccess or PHP will always return as o , as server is still
using the http protocol.

Hopefully, there are some alternative methods to force the https redirects :-)

FLEXIBLE SSL HTTPS REDIRECTION VIA .HTACCESS (FOR APACHE)

RewriteEngine On RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule .*

https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Edit: Feb 4th, 2015

HERE’S THE SOLUTION (FOR APACHE ONLY) FROM THE CLOUDFLARE’S BLOG.

To redirect a user from HTTP to HTTPS, you can use the following:
 RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"' RewriteRule ^(.*)$
https://www.domain.com/$1 [L]

Similarly, to require all tra c go over HTTPS on CloudFlare, you can use the
following:

RewriteCond %{HTTP:CF-Visitor} !'"scheme":"http"' RewriteRule ^(.*)$

https://www.domain.com/$1 [L]

FLEXIBLE SSL HTTPS REDIRECTION FOR NGINX

location / { if ($http_x_forwarded_proto != "https") { rewrite ^(.*)$

https://$server_name$1 permanent; }

FLEXIBLE SSL HTTPS REDIRECTION VIA PHP

if ( isset( $_SERVER['HTTP_CF_VISITOR'] ) && strpos(

$_SERVER['HTTP_CF_VISITOR'], 'https' ) !== false ) { $_SERVER['HTTPS'] =
'on'; }

OR

if($_SERVER['HTTP_X_FORWARDED_PROTO'] != "https") { header("Location:

https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); }

You can also use the Cloud are Pagerules to force the https protocol.

For WordPress, there is a working plugin available called “Cloud are Flexible SSL”, I also
use “SSL Insecure Content Fixer” to load “unsafe scripts” in the admin section.

Cloud are Flexible SSL Force HTTPS Universal SSL

← Previous Next →

COMMENTS ( 4 )
COMMENTS ( 4 )

Stephane
says:
8 November 2014 at 6 h 00 min
Very good article man, glad you’re ying back to Sydney!!

Reply

Bersh
says:
14 November 2014 at 7 h 44 min
I added this to my php code as well:

if(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){     $_SERVER['HTTPS']='on'; 
}

Reply

Bersh
says:
14 November 2014 at 7 h 50 min
By the way Thomas, take a look at this : https://support.cloud are.com/hc/en-
us/articles/200170536-How-do-I-redirect-HTTPS-tra c-with-Flexible-SSL-and-
Apache- :)

Reply

Gomah
says:
4 February 2015 at 12 h 11 min
True, but I don’t use headers on my apache con guration when I need to use
apache!

Reply

LEAVE A COMMENT
 Your email address will not be published. Required elds are marked *

Name *

Email *

Website

Your comment here..

POST COMMENT

Search..

CATEGORIES

Development (2)

Server Tips (2)

Web (1)

📞
+61 432 604 033
 ✉
web@gomah.fr


23 Darlinghurst Rd, Potts Point NSW 2011

  

©2006-2015 THOMAS MARREC, ALL RIGHTS RESERVED.