2021-06-27 22:29:22 +00:00
|
|
|
+++
|
|
|
|
|
title = "My Path Down The Road of Cloudflare's Redirect Loop"
|
|
|
|
|
author = ["Elia el Lazkani"]
|
2021-07-04 05:44:54 +00:00
|
|
|
date = 2020-01-27
|
|
|
|
|
lastmod = 2020-01-27
|
2021-06-27 22:29:22 +00:00
|
|
|
tags = ["cloudflare", "cdn"]
|
|
|
|
|
categories = ["misc"]
|
|
|
|
|
draft = false
|
|
|
|
|
+++
|
|
|
|
|
|
|
|
|
|
I have used **Cloudflare** as my _DNS manager_ for years, specifically because it offers **API** that works with **certbot**.
|
|
|
|
|
This setup has worked very well for me so far.
|
|
|
|
|
The only thing that kept bothering me is that every time I turn on the _CDN_ capability on my **Cloudflare** , I get a loor error.
|
|
|
|
|
That's weird.
|
|
|
|
|
|
|
|
|
|
<!--more-->
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Setup {#setup}
|
|
|
|
|
|
|
|
|
|
Let's talk about my setup for a little bit.
|
|
|
|
|
I use **certbot** to generate and maintain my fleet of certificates.
|
|
|
|
|
I use **Nginx** as a web-server.
|
|
|
|
|
|
|
|
|
|
Let's say I want to host a static content off of my server.
|
|
|
|
|
My **nginx** configuration would look something like the following.
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
server {
|
|
|
|
|
listen 443 ssl;
|
|
|
|
|
server_name server.example.com;
|
|
|
|
|
|
|
|
|
|
ssl_certificate /path/to/the/fullchain.pem;
|
|
|
|
|
ssl_certificate_key /path/to/the/privkey.pem;
|
|
|
|
|
|
|
|
|
|
root /path/to/data/root/;
|
|
|
|
|
index index.html;
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
try_files $uri $uri/ =404;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This is a static site, of course.
|
|
|
|
|
Now you may ask about _non-SSL_.
|
|
|
|
|
Well, I don't do _non-SSL_.
|
|
|
|
|
In other words, I have something like this in my config.
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
server {
|
|
|
|
|
listen 80;
|
|
|
|
|
server_name _;
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
So, all _http_ traffic gets redirected to _https_.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Problem {#problem}
|
|
|
|
|
|
|
|
|
|
Considering the regular setup above, once I enable the "proxy" feature of **Cloudflare** I get the following error.
|
|
|
|
|
|
|
|
|
|
[<img src="/ox-hugo/too-many-redirects.png" alt="too-many-redirects.png" />](/ox-hugo/too-many-redirects.png)
|
|
|
|
|
\#+BEGIN\_EXPORT html
|
|
|
|
|
|
|
|
|
|
That baffled me for a bit.
|
|
|
|
|
There is no reason for this to happen.
|
|
|
|
|
I decided to dig deeper.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Solution {#solution}
|
|
|
|
|
|
|
|
|
|
As I was digging through the **Cloudflare** configuration, I stumbled upon this page.
|
|
|
|
|
|
|
|
|
|
{{< figure src="/ox-hugo/flexible-encryption.png" caption="Figure 2: Flexible Encryption" target="_blank" link="/ox-hugo/flexible-encryption.png" >}}
|
|
|
|
|
|
|
|
|
|
This is interesting.
|
|
|
|
|
It says that the connection is encrypted between the broswer and **Cloudflare**.
|
|
|
|
|
Does that mean that between **Cloudflare** and my server, the connection is unencrypted ?
|
|
|
|
|
|
|
|
|
|
If that's the case, it means that the request coming from **Cloudflare** to my server is coming on _http_.
|
|
|
|
|
If it is coming on _http_, it is getting redirected to _https_ which goes back to **Cloudflare** and so on.
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
THIS IS IT ! I FOUND MY ANSWER...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Alright, let's move this to what they call "Full Encryption", which calls my server on _https_ as it should.
|
|
|
|
|
|
|
|
|
|
{{< figure src="/ox-hugo/full-encryption.png" caption="Figure 3: Full Encryption" target="_blank" link="/ox-hugo/full-encryption.png" >}}
|
|
|
|
|
|
|
|
|
|
After this change, all the errors cleared up and got my blog up and
|
|
|
|
|
running again.
|
