1

I am posting this more as an answer to the question in title as we have solved it after communicating with Cloudflare's helpful support team. Since when doing our research, we could not find a solution to this, this might help others!

When enabling Cloudflare's Flexible SSL and you want to redirect http to https for all requests using the method such as described in How to force HTTPS using a web.config file, you will highly likely end up in a redirect loop.

You can opt to use a Page Rule via CloudFlare's Page Rule as described in https://support.cloudflare.com/hc/en-us/articles/200170536-How-do-I-redirect-all-visitors-to-HTTPS-SSL- but in our case that was still leaving some non-https requests within the website which were rendering the website as insecure.

Community
  • 1
  • 1
Mark Cassar
  • 1,842
  • 4
  • 20
  • 27

1 Answers1

4

As can be seen within the same Cloudflare support article https://support.cloudflare.com/hc/en-us/articles/200170536-How-do-I-redirect-all-visitors-to-HTTPS-SSL-, Cloudflare appends the CF-Visitor HTTP header as explained:

CF-Visitor: {"scheme":"https"}

For this reason, the respective web.config <rewrite> snippet which worked for us is the following:

<rewrite>
  <rules>
    <rule name="Redirect to https" stopProcessing="true">
      <match url="(.*)" />
        <conditions>
          <add input="{HTTP_CF_VISITOR}" pattern="(.*)https(.*)" ignoreCase="true" negate="true"  />
        </conditions>
       <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>
Mark Cassar
  • 1,842
  • 4
  • 20
  • 27