1

I have a website which uses CloudFlare flexible SLL hosted on HostGator.

I want to redirect all HTTP requests to corresponding HTTPS URL. No exceptions. I intend to put the rule at top with L, so when it’s handled all following rewrite rules should not be tested.

My current code is this:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

But that results in endless redirects to the HTTPS version. Here is FireFox Live HTTP Headers:

https://example.net/

GET / HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP/2.0 301 Moved Permanently
Date: Wed, 15 Feb 2017 15:20:35 GMT
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: __cfduid=d07edac1644bccce1642d2c845767f9951487172035; expires=Thu, 15-Feb-18 15:20:35 GMT; path=/; domain=.example.net; HttpOnly
Location: https://example.net/
Server: cloudflare-nginx
cf-ray: 3319bea4dd2f3cfb-CPH
X-Firefox-Spdy: h2

http://ocsp.digicert.com/

POST / HTTP/1.1
Host: ocsp.digicert.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Length: 83
Content-Type: application/ocsp-request
DNT: 1
Connection: keep-alive 0Q0O0M0K0I0 +

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=172800
Content-Type: application/ocsp-response
Date: Wed, 15 Feb 2017 15:20:35 GMT
Etag: "58a44f61-1d7"
Expires: Wed, 22 Feb 2017 03:20:35 GMT
Last-Modified: Wed, 15 Feb 2017 12:53:53 GMT
Server: ECS (arn/459D)
X-Cache: HIT
Content-Length: 471

https://example.net/

GET / HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: __cfduid=d07edac1644bccce1642d2c845767f9951487172035
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP/2.0 301 Moved Permanently
Date: Wed, 15 Feb 2017 15:20:35 GMT
Content-Type: text/html; charset=iso-8859-1
Location: https://example.net/
Server: cloudflare-nginx
cf-ray: 3319bea7ddfb3cfb-CPH
X-Firefox-Spdy: h2

https://example.net/

GET / HTTP/1.1
Host: example.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: da,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: __cfduid=d07edac1644bccce1642d2c845767f9951487172035
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP/2.0 301 Moved Permanently
Date: Wed, 15 Feb 2017 15:20:36 GMT
Content-Type: text/html; charset=iso-8859-1
Location: https://example.net/
Server: cloudflare-nginx
cf-ray: 3319beaaae7e3cfb-CPH
X-Firefox-Spdy: h2

I have seen other similar questions, but most suggested solutions are a variation of what I currently use, and I have tried them (but do please feel free to recommend whatever worked for you, and I will try it).

Improve this question

2 Answers 2

Reset to default
3

Cloudflare Flexible SSL: secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled. Source

Because you redirect to HTTPS from your server, rather than with a Cloudflare page rule, even HTTPS requests by the client will still always trigger the redirect rule. 

1. Client ---> HTTP ----> Cloudflare CDN ----> HTTP ----> Your server | <------- Response: Redirect to HTTPS <- 2. Client ---> HTTPS ----> Cloudflare CDN ----> HTTP ----> Your server | <------- Response: Redirect to HTTPS <- 3. Client ---> HTTPS ----> Cloudflare CDN ----> HTTP ----> Your server | <------- Response: Redirect to HTTPS <-

Cloudflare doesn't talk HTTPS to your webserver and that creates an Infinite Redirect loop.

To resolve that you'll need to remove the redirect from your .htaccess file and set up a Cloudflare page rule instead.

Improve this answer
1
  • Thank you for your explanation. I will try look in my CloudFlare settings to see what I can do there. Commented Feb 15, 2017 at 16:43
2 
RewriteEngine On RewriteCond %{HTTP:X-Forwarded-Proto} !https RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Partially taken from: https://stackoverflow.com/a/26623196/2774776

Improve this answer
2
  • 1
    Although this Cloudflare KB article suggests that it will be more efficient to setup a CF page rule. Commented Feb 15, 2017 at 18:38
  • 1
    Cloudflare is surely the right way to do it, but there's a reason we can have more than one answer :) and the question was specific to .htaccess Commented Feb 15, 2017 at 18:40

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.