Why CloudFlare SSL?
CloudFlare has a feature where they provide their own SSL for your site and you don’t even need SSL in place. Why would you need an SSL if you are not selling anything? One word SEO, Google recently revealed that sites with SSL will get ranking boost. All you have to do is toggle a button in control panel and you are done (see picture below). That’s what we thought at first..
How Flexible SSL Works
Here is a screenshot from CloudFlare help page that explains it pretty well.
The way it works is it creates a secure tunnel between you and the CloudFlare server and then CloudFlare creates a regular connection to your site. From a visitor standpoint the connection is encrypted as they will see a lock in their address bar even though the actual site does not have SSL
Redirect loop with WordPress when using Flexible SSL
When Flexible SSL is activated you will start having infinite redirect loop if you change your site url to https://.. in the WordPress general settings. The reason you need your site url to be https is so that entire site would use https and not both protocols interchangeably, thus creating duplicate content). If you want to try it yourself make sure you have a phpMyAdmin open so you can revert the change back since you won’t be able to get back to you site once you change site url to https because of the loop. You will have to connect to your database and change the site url back to http://.. in the options table).
Solution
CloudFlare’s solution is to install different plugins or create a force SSL rule. None of this worked for us. We think the reason is because the plugins simply rewrote http urls to https:// which might fix the issues if you already had SSL installed on the server. The solution is actually really simple, since users will always visit your site through CloudFlare proxy we will have CloudFlare redirect all http links to https:// equivalent. This is different then doing the same thing using .htaccess file or changing it in the settings of WordPress since those will affect the server itself. All you have to do is go to Page Rules and set up the rule like shown below (this should also work for other none WordPress sites as well):
The $1 will make sure that the full path will also be passed down to the new url. Also make sure the “Always use https” option is off when creating a rule. Give it about an hour to kick in, the SSL forwarding doesn’t seem to start working right away unlike the regular forwarding rules.
You should be all set now, your site will redirect for all http urls to https without the need to set site url in WordPress settings to use https:// (you can still have the home page setting set to https without issues.)
You might also want to add admin bypass rule while you are in forwarding rule to bypass cache in admin
- enter in pattern: http://*yoursite.com/wp-admin
- enter in rule: select ONLY “bypass cache” under “custom caching” and nothing else.
- click save
Let us know how it worked for you
Hello Alex, thanks for the post. So setting up this rule only, fixed the mixed content error in your site? I got redirected but my assets (css, js, imgs) are not loading. I understood you didn’t install any plugin.
i didn’t have to install a plugin since all my resources didn’t have absolute path, however for you, you might have to. Use the wordpress https plugin it will rewrite the resources to https for you
Hello Alex, thanks for the post. So setting up this rule only, fixed the mixed content error in your site? I got redirected but my assets (css, js, imgs) are not loading. I understood you didn’t install any plugin.
i didn’t have to install a plugin since all my resources didn’t have absolute path, however for you, you might have to. Use the wordpress https plugin it will rewrite the resources to https for you
Thank you very much, after days trying all kind of so called solutions, this was the real solution.
Together with the Cloudflare plugin for wordpress, it also solved the mixed content issue.
Also the tip to wait at least an hour was very helpful, because the “60 seconds” is way to optimistic.
No problem! I was frustrated that there was no right solution and the tutorial they have on their site doesn’t really work 🙂
Thank you very much, after days trying all kind of so called solutions, this was the real solution.
Together with the Cloudflare plugin for wordpress, it also solved the mixed content issue.
Also the tip to wait at least an hour was very helpful, because the “60 seconds” is way to optimistic.
No problem! I was frustrated that there was no right solution and the tutorial they have on their site doesn’t really work 🙂
Hi Alex, After trying about a week I am successfully able to have everything over https. I have to put http in site url and wp home to get wp-admin work without infinite redirect loop. But the problem is my sitemap is broken now. As the page rule in cloudflare redirects http to https, and All In One SEO plugin tries to load the sitemap from http, and it breaks everything. The generated sitemap (accessible from FTP) includes http urls instead of https (maybe because of http set in site url). Is there anything related this you have encountered?
Hi Alex, After trying about a week I am successfully able to have everything over https. I have to put http in site url and wp home to get wp-admin work without infinite redirect loop. But the problem is my sitemap is broken now. As the page rule in cloudflare redirects http to https, and All In One SEO plugin tries to load the sitemap from http, and it breaks everything. The generated sitemap (accessible from FTP) includes http urls instead of https (maybe because of http set in site url). Is there anything related this you have encountered?
BTW, I just noticed changing of page title! That’s awesome.
BTW, I just noticed changing of page title! That’s awesome.