2.9 KiB
+++ title = "My Path Down The Road of Cloudflare's Redirect Loop" author = ["Elia el Lazkani"] date = 2020-01-27T21:00:00+01:00 lastmod = 2021-06-28T00:01:07+02:00 tags = ["cloudflare", "cdn"] categories = ["misc"] draft = false +++
I have used Cloudflare as my DNS manager for years, specifically because it offers API that works with certbot. This setup has worked very well for me so far. The only thing that kept bothering me is that every time I turn on the CDN capability on my Cloudflare , I get a loor error. That's weird.
Setup
Let's talk about my setup for a little bit. I use certbot to generate and maintain my fleet of certificates. I use Nginx as a web-server.
Let's say I want to host a static content off of my server. My nginx configuration would look something like the following.
server {
listen 443 ssl;
server_name server.example.com;
ssl_certificate /path/to/the/fullchain.pem;
ssl_certificate_key /path/to/the/privkey.pem;
root /path/to/data/root/;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
This is a static site, of course. Now you may ask about non-SSL. Well, I don't do non-SSL. In other words, I have something like this in my config.
server {
listen 80;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}
So, all http traffic gets redirected to https.
Problem
Considering the regular setup above, once I enable the "proxy" feature of Cloudflare I get the following error.
That baffled me for a bit. There is no reason for this to happen. I decided to dig deeper.
Solution
As I was digging through the Cloudflare configuration, I stumbled upon this page.
{{< figure src="/ox-hugo/flexible-encryption.png" caption="Figure 2: Flexible Encryption" target="_blank" link="/ox-hugo/flexible-encryption.png" >}}
This is interesting. It says that the connection is encrypted between the broswer and Cloudflare. Does that mean that between Cloudflare and my server, the connection is unencrypted ?
If that's the case, it means that the request coming from Cloudflare to my server is coming on http. If it is coming on http, it is getting redirected to https which goes back to Cloudflare and so on.
THIS IS IT ! I FOUND MY ANSWER...
Alright, let's move this to what they call "Full Encryption", which calls my server on https as it should.
{{< figure src="/ox-hugo/full-encryption.png" caption="Figure 3: Full Encryption" target="_blank" link="/ox-hugo/full-encryption.png" >}}
After this change, all the errors cleared up and got my blog up and running again.