I recently moved a domain to Cloudflare and to my delight I found that Cloudflare’s edge servers provide SSL, which automatically upgrades your http:// connection to https:// free of charge. Brilliant, I thought! Except it broke my website.
Read on to find out why, and how to fix it!
Cloudflare SSL is great
I was dead impressed when I was perusing the Cloudflare control panel and came across the “SSL/TLS” menu. The overview explains how SSL has been automatically applied in “Flexible” mode:
Enable encryption only between your visitors and Cloudflare. This avoids browser security warnings, but all connections between Cloudflare and your origin are made through HTTP.
So essentially without me having to do anything, my website is now SSL-enabled. OK it’s a secure connection between the visitor and Cloudflare, with the edge server and my origin server still communicating over plain http://, but it’s better than no encryption at all!
SSL broke my website!
OK that may be a little dramatic. But in the first day or two after moving to Cloudflare and it automatically enabling SSL I was browsing the website and noticed that some functionality was broken. Specifically Javascript functionality.
A quick look in Chrome’s dev console soon confirmed the problem. The website was loading external resources over http://. Well… it was trying to! It quickly dawned on me that there were a number of external resources that would no longer be loaded and that I would have to disable SSL.
So why not just update the website?
For “reasons”, it’s not been practical to install SSL for this website, nor is it practical to update it to pull in the external resources over https://.
Back to Cloudflare’s SSL settings
In the Cloudflare “SSL/TLS” control panel again and there is an “Off (not secure)” option:
No encryption applied. Turning off SSL disables HTTPS and causes browsers to show a warning that your website is not secure.
Excellent, I thought. That’s just what I need. Turn SSL off and we’re back to having a functioning website, albeit over plain http:// again. So that’s what I did.
It’s still broken, only worse this time!
Now when I visit in Chrome I’m getting a ERR_TOO_MANY_REDIRECTS error and no website at all. At first I thought it might be a caching issue but it went on all day. Although strangely it was intermittent, sometimes the website would load and other times not. (And I never found out why!)
Hours of debugging
To cut a long and tedious story short, I tried all sorts attempting to figure this out. I cleared the edge server cache, I put the website into “Development Mode” via Cloudflare to bypass the cache, I tried incognito mode, but nothing worked. Sometimes the website would load, other times I got ERR_TOO_MANY_REDIRECTS.
I could see that in Chrome it was bouncing between requesting the http:// and https:// versions and timing out. Nothing was hitting the origin server, per the access logs. And if I used cURL then it loaded fine. I even used Google PageSpeed to load it and that was completely normal.
Googling the issue specifically for Cloudflare brought up plenty of results but these were all where people had SSL configured for their sites and that was causing their issues. Mine was different… I specifically wanted a plain http:// non-SSL setup that resulted in ERR_TOO_MANY_REDIRECTS.
Disable ALL the SSL!
I finally hit upon the right Google query and found my answer! If you have a plain http:// non-SSL website with Cloudflare not only do you need to set your SSL/TLS encryption mode to “Off”, you also have to disable Universal SSL.
Disabling Universal SSL removes any currently active Universal SSL certificates for your zone from the edge and prevents any future Universal SSL certificates from being ordered. If there are no dedicated certificates or custom certificates uploaded for the domain, visitors will be unable to access the domain over HTTPS.
That’s it! You need to set your SSL/TLS encryption mode to “Off” and turn off Universal SSL to have an operating http-only website under Cloudflare.
Why the need to disable Universal SSL?
Kudos to Cloudflare user “cbrandt” here for providing the answer.
When Universal SSL is enabled, Cloudflare will publish a DNS record of type 65, known as HTTPS RR (HTTPS Resource Record). Most web browsers, when they see an HTTPS RR, will redirect to https://. The only way to have Cloudflare stop publishing the HTTPS-RR for a domain is by setting SSL/TLS to “Off” and disabling Universal SSL.
After following the two steps outlined above, my website is now functioning normally again.