CODEWITHSUNDEEP
http-redirectnginxcloudflare
Fane
Fane

Reputation: 2074

Cloudflare and nginx: Too many redirects

I'm trying to set up NGINX and cloudflare. I've read about this on Google but nothing solved my problem. My cloudflare is active at the moment. I removed all page rules in cloudflare but before had domain.com and www.domain.com to use HTTPS. I thought this could be causing the problem so I removed it. Here is my default NGINX file, with purpose of allowing only access by domain name and forbid access by IP value of the website:

server{

  #REDIRECT HTTP TO HTTPS

  listen 80 default;
  listen [::]:80 default ipv6only=on; ## listen for ipv6
  rewrite ^ https://$host$request_uri? permanent;

}

server{

  #REDIRECT IP HTTPS TO DOMAIN HTTPS       

    listen 443;
    server_name numeric_ip;
    rewrite ^ https://www.domain.com; 

}

server{

  #REDIRECT IP HTTP TO DOMAIN HTTPS

    listen 80;
    server_name numeric_ip;
    rewrite ^ https://www.domain.com;

}

server {

         listen 443 ssl;
         server_name www.domain.com domain.com;
         #rewrite ^ https://$host$request_uri? permanent;
         keepalive_timeout 70;

         ssl_certificate     /ssl/is/working.crt;
         ssl_certificate_key /ssl/is/working.key;

         ssl_session_timeout 1d;
         ssl_session_cache shared:SSL:50m;

         #ssl_dhparam /path/to/dhparam.pem;

         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM$
         ssl_prefer_server_ciphers on;

         add_header Strict-Transport-Security max-age=15768000;

         (...) more ssl configs

What could be off? I'll provide mroe information if needed...

Upvotes: 36

Views: 42454

Answers (7)

nggit
nggit

Reputation: 720

Cloudflare sends the Cdn-Loop: cloudflare header to the original server. This Cdn-Loop is submitted as standard. See: https://datatracker.ietf.org/doc/html/rfc8586

This works on nginx. Only redirects to https if not accessed by/from CDN:

server {
     # ..

     if ($http_cdn_loop ~ "^$") {
         return 301 https://$host$request_uri;
     }
}

Can also use $http_cf_visitor:

server {
        # ..

        if ($http_cf_visitor ~ '{"scheme":"http"}') {
            return 301 https://$host$request_uri;
        }
}

See also "If is evil":

https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/

Upvotes: 3

prosti
prosti

Reputation: 46331

After tryouts I found that this is only related to Cloudflare. Because I had no redirect problem before moving to Cloudflare.

In my case it was a simple fix like this. Select [Crypto] box and select Full (strict) as in the image.

enter image description here

Really, you can try this out first before any other actions.

Upvotes: 118

Константин Ван
Константин Ван

Reputation: 14759

Troubleshooting redirect loop errors

Resolve redirect loop (too many redirects) errors that prevent visitors from viewing your website.

Cloudflare SSL options incompatible with your origin web server

The most common cause of redirect loops is due to a combination of

  • a redirect performed by your origin web server, and
  • a Cloudflare SSL option that is incompatible with the redirect performed by your origin.

Cause

The “Flexible” SSL encryption mode in the Cloudflare “SSL/TLS” app, “Overview” tab, encrypts traffic between the browser and the Cloudflare network over HTTPS. However, when the “Flexible” SSL option is enabled, Cloudflare sends requests to your origin web server unencrypted over HTTP. Redirect loops occur if your origin web server is configured to redirect all HTTP requests to HTTPS when using the “Flexible” SSL option.

Redirect loops may also occur when using the “Full” or “Full(strict)” SSL option. The only difference is that Cloudflare contacts your origin web server over HTTPS and the redirect loop occurs if your origin web server redirects HTTPS requests to HTTP.

Resolution

Update the Cloudflare SSL option in the “SSL/TLS” app, “Overview” tab.

  • If currently set to “Flexible”, update it to “Full” if you have an SSL certificate configured at your origin web server.
  • If currently set to “Full”, try updating it to “Flexible.”

“Flexible” SSL mode diagram

“Full” SSL mode diagram

Upvotes: 5

Phạm Tuấn Anh
Phạm Tuấn Anh

Reputation: 164

Go to Page Rules section and check if you have an "always redirect to https" rule. I had it enabled by default.

Upvotes: 0

Daliang LYU
Daliang LYU

Reputation: 99

The support team of Cloudflare has given the cause and solution. It is clear and helpful.

Upvotes: -1

Simba
Simba

Reputation: 27568

@prosti provided the solution. I'll add some explanation here about why the redirection loop happens.

After Cloudflare CDN is setup in front of Nginx server. Clients don't have direct access to Nginx anymore. The content is fetched by the intermedia proxy provided by Cloudflare. The cause of the problem is this very proxy doesn't follow redirection set on Nginx. Or you can deem it's hardcoded.

Unlike a web browser who follows the 302/301 redirection. The behavior of the proxy, access the Nginx on our VPS by HTTP or HTTPS, is configured in Cloudflare Dashboard -> "SSL/TLS".

enter image description here

enter image description here

The solution is to configure the encryption level higher than "Full".

Upvotes: 18

cnst
cnst

Reputation: 27218

These questions with run-away redirects come up all the time!

Usually, the problem lies with the fact that 301 Moved Permanently responses are often cached within the browsers "for good", and there is often no way to CtrlR nor CtrlShiftR out of it, short of clearing the whole cache. (This is one of the reasons I often prefer 302 Found / 302 Moved Temporarily instead, especially during the development phase, because 302 responses are generally not cached at all by default.)

Additionally, if you've had HSTS in the past, and it was successfully fetched and quietly installed by the browser under the hood, and was never explicitly cleared nor expired yet, then the browser would never make any subsequent requests over http:// until and unless the policy is cleared -- all requests would always be over https://.

As for putting CloudFlare into the mix, doesn't it alleviate the need to have so many different server definitions and redirects in the first place, since your IP address is supposed to be hidden? I'm not sure what good it does to presumably hide your IP address behind CloudFlare, yet openly reveal the domain name it serves for anyone doing a global internet scan.

As you already ran through all the "SSL modes" offered by CloudFlare, I would suggest to change all your 301 permanent redirects to 302 temporary redirects (if not remove all of these in entirety in the first place), clear the browser's cache, and then try circling around the ssl options again. :-)

Upvotes: 19

Related Questions