Letsencrypt Cloudflare cloudflare http to https redirecting issue

emre22 · Jan 22, 2017

Hello,

I am using cloudflare as dns, ssl = off, all kind of records are set up and working fine with non-ssl

http://fs5.directupload.net/images/170122/4wnmqzpx.jpg

I wanted to switch over to ssl, because I received a mail from google regarding this.

I followed exactly this tutorial, I am using cmm beta, but when I try to reach my site with https://....net I am directly redirected to the non ssl site.

eva2000 · Jan 22, 2017

When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

Also what is output of these commands in ssh
Code (Text):
curl -I https://domain.com
Code (Text):
curl -I https://www.domain.com
Code (Text):
curl -I http://domain.com
Code (Text):
curl -I http://www.domain.com
wrap output in CODE tags

emre22 · Jan 22, 2017

Hey Eva,

I did not create the domain new, I wanted to switch for an existing non-ssl domain to letsencrypt

eva2000 · Jan 22, 2017

still need the existing domain's vhost contents to double check

emre22 · Jan 22, 2017

Code:

[root@cmm-beta ~]# curl -I https://domain.net/
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Jan 2017 13:31:15 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d17d0fa31f2ff18a408aaf13439b684991485091875; expires=Mon, 22-Jan-18 13:31:15 GMT; path=/; domain=.domain.net; HttpOnly
Location: http://domain.net/
Server: cloudflare-nginx
CF-RAY: 32535d7bda672bee-AMS

Code:

[root@cmm-beta ~]# curl -I https://www.domain.net/
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Jan 2017 13:34:13 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d831c5434e9a71252aa4357c42b51aeac1485092053; expires=Mon, 22-Jan-18 13:34:13 GMT; path=/; domain=.domain.net; HttpOnly
Location: http://www.domain.net/
Server: cloudflare-nginx
CF-RAY: 325361d6590c2bd0-AMS

Code:

[root@cmm-beta ~]# curl -I http://domain.net/
HTTP/1.1 200 OK
Date: Sun, 22 Jan 2017 13:32:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d04097d0d5202ca370476c84aab4ec5e31485091956; expires=Mon, 22-Jan-18 13:32:36 GMT; path=/; domain=.domain.net; HttpOnly
Vary: Accept-Encoding
X-Powered-By: centminmod
X-Page-Speed: 1.12.34.2-0
Cache-Control: max-age=0, no-cache
Server: cloudflare-nginx
CF-RAY: 32535f7707862ba6-AMS

Code:

[root@cmm-beta ~]# curl -I http://www.domain.net/
HTTP/1.1 301 Moved Permanently
Date: Sun, 22 Jan 2017 13:33:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=d605e78cd1847a9de2313ce889c3f1d0f1485091990; expires=Mon, 22-Jan-18 13:33:10 GMT; path=/; domain=.domain.net; HttpOnly
Location: http://domain.net/
X-Powered-By: centminmod
X-Page-Speed: 1.12.34.2-0
Cache-Control: max-age=0, no-cache
Server: cloudflare-nginx
CF-RAY: 3253604aa40c2c42-AMS

emre22 · Jan 22, 2017

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html

# redirect from non-www to www
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   80;
#            server_name existing-domain-conf.net www.existing-domain-conf.net;
#            return 301 $scheme://www.existing-domain-conf.net$request_uri;
#       }

server {
 
  server_name existing-domain-conf.net www.existing-domain-conf.net;

# ngx_pagespeed & ngx_pagespeed handler
include /usr/local/nginx/conf/pagespeed.conf;
include /usr/local/nginx/conf/pagespeedhandler.conf;
include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/existing-domain-conf.net/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/existing-domain-conf.net/log/error.log;

  include /usr/local/nginx/conf/autoprotect/existing-domain-conf.net/autoprotect-existing-domain-conf.net.conf;
  root /home/nginx/domains/existing-domain-conf.net/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  # include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  include /usr/local/nginx/conf/wpincludes/existing-domain-conf.net/wpcacheenabler_existing-domain-conf.net.conf;
  #include /usr/local/nginx/conf/wpincludes/existing-domain-conf.net/wpsupercache_existing-domain-conf.net.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/wpincludes/existing-domain-conf.net/rediscache_existing-domain-conf.net.conf; 

  location / {
  include /usr/local/nginx/conf/503include-only.conf;
 

  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;   

  # Wordpress Permalinks
  #try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
  #try_files $uri $uri/ /index.php?$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    #include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/existing-domain-conf.net/wpsecure_existing-domain-conf.net.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;
  # https://community.centminmod.com/posts/18828/
  #include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Code:

# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name existing-domain-conf-ssl.net www.existing-domain-conf-ssl.net;
#    return 302 https://existing-domain-conf-ssl.net$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name existing-domain-conf-ssl.net www.existing-domain-conf-ssl.net;

  include /usr/local/nginx/conf/ssl/existing-domain-conf-ssl.net/existing-domain-conf-ssl.net.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # dual cert supported ssl ciphers
  ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
 
  # enable ocsp stapling
   resolver 8.8.8.8 8.8.4.4 valid=10m;
   resolver_timeout 10s;
   ssl_stapling on;
   ssl_stapling_verify on;

 # ngx_pagespeed & ngx_pagespeed handler
 include /usr/local/nginx/conf/pagespeed.conf;
 include /usr/local/nginx/conf/pagespeedhandler.conf;
 include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/existing-domain-conf-ssl.net/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/existing-domain-conf-ssl.net/log/error.log;

  root /home/nginx/domains/existing-domain-conf-ssl.net/public;
 
    include /usr/local/nginx/conf/wpincludes/existing-domain-conf-ssl.net/wpcacheenabler_existing-domain-conf-ssl.net.conf;
    

  location / {
    # Wordpress Permalinks
    try_files $uri $uri/ /wordpress/index.php?q=$request_uri;   

    include /usr/local/nginx/conf/wpsecure.conf;
    include /usr/local/nginx/conf/wpnocache.conf;
    # for wp cache enabler plugin
    #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
    
  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

eva2000 · Jan 22, 2017

indeed for https version there's a 301 permanent redirect if you look at Location it's going to non-https version !
Code (Text):
Location: http://www.domain.net/
nothing in both your vhosts suggest a 301 redirect from what i can see, so cloudflare might be doing it ? maybe when you set https = off in cloudflare ?

What SSL setting should I use?
Cloudflare offers five SSL settings. Below is a description of each. We recommend enabling the Full SSL (Strict) setting.

Off: There is no secure connection between the visitor and Cloudflare, and no secure connection between Cloudflare and the origin server. This means that visitors can only access the domain over plain-text HTTP, and any visitor attempting to connect via HTTPS will be returned a HTTP 301 Redirect back to the plain-text HTTP version of the same URL.
Click to expand...

seems cloudflare ssl off will 301 redirect to http version !

so only way is either disable cloudflare cache and use as dns only = Cloudflare DNS Only Configuration

or use cloudflare's ssl in front and set ssl to Full SSL or FULL SSL (strict) so cloudflare talks to your site's https letsencrypt ssl site

Full SSL: Encrypts the connection between your website visitors and Cloudflare, and from Cloudflare to your server. The difference between Full and Full (Strict) is that Full (Strict) checks for a valid certificate on your origin server, whereas Full checks for any certificate.

You will need to have an SSL certificate on your server. However, Cloudflare will not attempt to validate the certificate (certificates may be self-signed)

Visitors will see the SSL lock icon in their browser

Full SSL (strict): Encrypts the connection between your website visitors and Cloudflare, and from Cloudflare to your server.

You will need to have a valid SSL certificate installed on your server signed by a publicly trusted certificate authority which has not expired and contains the domain name for the request (hostname).

Visitors will see the SSL lock icon in their browser

Click to expand...

emre22 · Jan 22, 2017

well cloudflare ssl was off all the time, I switched it now to full strict ssl and my website looks strange somehow. I sent you the url

eva2000 · Jan 23, 2017

you probably have mixed content issues all your requests are still non-https as there's no http to https redirect set at cloudflare page rule level yet i suspect ran your site through Website Speed Test | Full Page Performance Check

You have mixed content issue so need to adjust your web app and/or web site style itself see What Is Mixed Content? - KeyCDN Support

emre22 · Jan 23, 2017

Okay, putting a pagerule under cloudflare & Automatic HTTPS Rewrites option fixed it all. Thank you so much eva

eva2000 · Jan 23, 2017

emre22 said: ↑

Okay, putting a pagerule under cloudflare & Automatic HTTPS Rewrites option fixed it all. Thank you so much eva
Click to expand...

excellent

Log in / Register

Forums

Want to subscribe to topics you're interested in?

Letsencrypt Cloudflare cloudflare http to https redirecting issue

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

Letsencrypt Cloudflare cloudflare http to https redirecting issue

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

eva2000 Administrator Staff Member

emre22 Member

eva2000 Administrator Staff Member

.