WordPress HTTPS with Cloudflare Flexible

Question

I have a site that I converted to https using Cloudflare's "Flexible" SSL. Meaning that I get the benefits of showing https / secure to user, without purchasing an SSL (user to Cloudflare is secure, cloudflare to my server not).

I set up a page rule that automatically forces https. No problems. I installed WordPress under a directory and finding that there are mixed content errors all over the place. First of all, nothing works on the WordPress install because of mixed content. So I temporarily disabled the rule to install WordPress.

Now, if I change siteurl and home in the wp_options table in the WordPress db to https, and enable my force https rul, /wp-admin gets stuck in an infinite loop and won't let me do anything.

What am I doing wrong? All I have is to have WordPress over https with the rest of my site.

Answer 1

You should really use SSL throughout the whole request. If you don't want to go the self-signed route, you can use CF's free Origin Certificate.

Answer 2

WordPress isn't realizing that the request is made via HTTPS from the client because the request from CF to you is HTTP only.

Cloudflare does provide an extra header, X-Forwarded-Proto which will be set to https if the request is running via HTTPS. You could just add

if(array_key_exists("HTTP_X_FORWARDED_PROTO", $_SERVER) && $_SERVER["HTTP_X_FORWARDED_PROTO"] == "https") {
        $_SERVER["HTTPS"] = "on";
}

to your wp-config.php to inform WP that this request should be treated as if it was coming in via HTTPS.

If you prefer to use a plugin, Cloudflare Flexible SSL takes care of that. The Cloudflare plugin by Cloudflare itself also takes care of that, and more (cache purging, change CF settings from WP, WAF).