SSL with CloudFlare and Really Simple SSL

If you are a CloudFlare user, there are a few things to consider when migrating to SSL. If you run into redirect loops when you use CloudFlare, and have activated Really Simple SSL, check if you have configured below settings correctly.

Page rules

In CloudFlare you have the option to define page rules. If this page rule redirects all requests to http, activating Really Simple SSL will result in CloudFlare forcing your site to http, and Really Simple SSL forcing your site to https. A redirect loop is the result. You can remove the page rule, or change it into a page rule to https.

SSL settings in CloudFlare

If you have your own certificate, you should select Full SSL. If you use the CloudFlare SSL option, choose flexible SSL. Not selecting the correct option might cause redirect loops.

If you are thinking “what is the difference between these options”, I have listed a quick description:

  • Flexible SSL means there is no secure connection between CloudFlare and your site, but the connection between the visitor and CloudFlare is secure
  • Full SSL means that both connections are secure, but the connection between CloudFlare and the website does not check if the website has a trusted certificate: self signed will do as well.
  • Full Strict SSL: most secure. Everything is secure, and the website needs it’s own trusted SSL certificate.

Read more here on CloudFlare

Make sure CloudFlare does not cache old data

When we migrate a CloudFlare website to SSL, we always start with turn development mode in CloudFlare on. When everything is ready, purge the cache, then turn off development mode.

If you have not purged CloudFlare cache, you might get mixed content on your site.

If you run into anything that is not covered here, please let me know!

Simple and Performant Security.
Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate generation.