Fixing Redirect Loop on Cloudflare SSL

For those who are using a Cloudflare Flexible SSL + RunCloud + WordPress, you will be frustrated to see your site is caught in a redirect loop. Let’s see what is happening under the hood.

Terminology

When you are using Flexible SSL, Cloudflare will request your site without HTTPS and expect HTTP. You can find more information here, Cloudflare Help Page.

If you are using the Nginx + Apache2 hybrid stack, we see the request as HTTP and forward it to Apache, before communicating with WordPress.

Same goes with the Nginx stack, we receive the request as HTTP and begin communicating directly with WordPress.
WordPress will receive the request as HTTP and begin to serve the site using that protocol. Because of this, you will get the mixed content warnings for your WordPress sites. Now, you change the WordPress Address and Site Address to https://yoursite.com to fix this problem, and bam! Redirect loop from hell.

Ok, so what is happening?

When you change the WordPress and site address to HTTPS, it will only serve the site if you are requesting with HTTPS, if not, it will redirect you to HTTPS URL. Remember the terminology earlier? Flexible SSL only requests your site using HTTP… so when Cloudflare requests your site without HTTPS, WordPress will redirect you back to HTTPS site, then Cloudflare will request it again with HTTP, and WordPress will redirect it again and so on and so forth. After a few redirections, you will get the redirect loop error.

How to fix the issue?

There are many ways to fix the issue. But there are three well known solutions that will work.

Using Cloudflare Page Rule

Cloudflare comes with Page Rule settings. Personally, I don’t like this solution because it seems like a dirty hack to me.
Inside the Page Rule panel, create a forwarding rule to tell Cloudflare to forward HTTP requests to HTTPS.

For example, if your WordPress address is https://blog.runcloud.io, Create a rule for https://blog.runcloud.io/* and use the Forwarding URL setting with 301 redirect. And inside the setting use https://blog.runcloud.io/$1.

If you are using this method, you don’t have to change the WordPress Address and Site Address to http://.

Using Let’s Encrypt with Full or Full (Strict) SSL Setting

There are two ways to deploy Let’s Encrypt with RunCloud. You can either use HTTP-01 method or DNS-01 method.
If you are using HTTP-01 method, you must use the Full SSL Setting inside Cloudflare. You have to use Full because after three months, Let’s Encrypt will no longer be able to verify your site since Cloudflare will forward Let’s Encrypt authorization to HTTPS. Let’s Encrypt only authorizes on TCP Port 80. You can also use Cloudflare Page rules if you want to use Full (Strict), but that will not be discussed here.

If you are using DNS-01 method, you may use Full or Full (Strict) SSL setting, but Full (Strict) is better.

Using Cloudflare Origin Certificate

This is my favourite way to integrate Cloudflare SSL with Web Applications and maybe the best solution.
Inside Cloudflare Crypto Page, create a new Origin Certificate for your domain.

Be careful when using this method since the Private Key will no longer be shown inside Cloudflare after you close the popup.

Once you have done that, you will get the SSL certificate and private RSA key. What you have to do with it is, install it inside RunCloud SSL tab.

Now you can change the Cloudflare SSL Setting to either Full or Full (Strict) without any problems whatsoever.

Categories: Security, Tips & Tricks, Tutorials

Share this article