: Cloudflare not redirecting to HTTPS I set it up, and set "Automatic HTTPS Rewrites" to "ON", BUT this still not redirecting me to the https by default when the page is requested via http...

@Jamie184

If you are having problems with the "Automatic HTTPS Rewrites" Cloudflare option then it maybe that CF is unable to determine whether your site/resources are HTTPS enabled. From the CF docs on Automatic HTTPS Rewrites:


To determine which URLs do not have HTTPS support, we use data from EFF’s HTTPS Everywhere and Chrome’s HSTS preload list, among others.


To unconditionally redirect all users to HTTPS the preferred method would seem to be to create a page rule. From the CF support doc: How do I redirect all visitors to HTTPS/SSL?


The most effective means of redirecting visitors to HTTPS when using Cloudflare is using a page rule. While you can also redirect to HTTPS using configuration at your origin, page rules are processed at our edge, resulting in a quicker response and reduced requests to your server.

The "Always use HTTPS” action is the simplest option to redirect HTTP requests to HTTPS.


The following steps describe the process of using page rules (which will behave as a 301 redirect):


Cloudflare Page Rule 301 Redirect from HTTP to HTTPS

Login to Cloudflare Select your
site using the dropdown menu found in the upper left corner
Click the Page Rules icon at the top of the screen
Click the Create Page Rule button Enter
*example.com/* but obviously changing the domain with
yours. Under “Then the settings are:” click + Add a
Setting Click the dropdown list, find and click option
“Always Use HTTPS” Finally click Save and Deploy



However, many users still use their own server config (by that I literally mean either the main server config, virtual host or .htaccess file) and mod_rewrite (Apache) to perform the redirect. However, on the CF "Flexible SSL" option you need to be careful of a redirect loop, since your site is still serving content over HTTP to CF, so ordinary HTTPS checks cannot be applied. (The CF "Flexible SSL" option just protects the connection from the end-user to CF, not the connection from CF to your server.)

So, something like the following near the top of your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule (.*) example.com/ [R=301,L]


With "Flexible SSL" the HTTPS server variable is always off (since your site is serving content over HTTP), but Cloudflare should be setting the X-Forwarded-Proto HTTP request header as the request passes through Cloudflare's servers. Keeping the first condition ensures it should work regardless of whether you are using CF or not. If you are always going to be behind a proxy (CF) then you can remove the first condition.


...so seems like HTST is not really a great idea...


If you are committed to HTTPS then HSTS is a great idea. However, it is a one-way ticket. You will not be able to (easily) revert back to HTTP.

Vote Up Vote Down