Why CloudFlare SSL?
CloudFlare has a feature where they provide their own SSL for your site and you don’t even need SSL in place. Why would you need an SSL if you are not selling anything? One word SEO, Google recently revealed that sites with SSL will get ranking boost. All you have to do is toggle a button in control panel and you are done (see picture below). That’s what we thought at first..
How Flexible SSL Works
Here is a screenshot from CloudFlare help page that explains it pretty well.
The way it works is it creates a secure tunnel between you and the CloudFlare server and then CloudFlare creates a regular connection to your site. From a visitor standpoint the connection is encrypted as they will see a lock in their address bar even though the actual site does not have SSL
Redirect loop with WordPress when using Flexible SSL
When Flexible SSL is activated you will start having infinite redirect loop if you change your site url to https://.. in the WordPress general settings. The reason you need your site url to be https is so that entire site would use https and not both protocols interchangeably, thus creating duplicate content). If you want to try it yourself make sure you have a phpMyAdmin open so you can revert the change back since you won’t be able to get back to you site once you change site url to https because of the loop. You will have to connect to your database and change the site url back to http://.. in the options table).
CloudFlare’s solution is to install different plugins or create a force SSL rule. None of this worked for us. We think the reason is because the plugins simply rewrote http urls to https:// which might fix the issues if you already had SSL installed on the server. The solution is actually really simple, since users will always visit your site through CloudFlare proxy we will have CloudFlare redirect all http links to https:// equivalent. This is different then doing the same thing using .htaccess file or changing it in the settings of WordPress since those will affect the server itself. All you have to do is go to Page Rules and set up the rule like shown below (this should also work for other none WordPress sites as well):
$1 will make sure that the full path will also be passed down to the new url. Also make sure the “Always use https” option is off when creating a rule. Give it about an hour to kick in, the SSL forwarding doesn’t seem to start working right away unlike the regular forwarding rules.
You should be all set now, your site will redirect for all http urls to https without the need to set site url in WordPress settings to use https:// (you can still have the home page setting set to https without issues.)
You might also want to add admin bypass rule while you are in forwarding rule to bypass cache in admin
- enter in pattern: http://*yoursite.com/wp-admin
- enter in rule: select ONLY “bypass cache” under “custom caching” and nothing else.
- click save
Let us know how it worked for you