2

I have Universal SSL with CloudFlare. I wanted to set up a permanent SSL redirect on my Ghost blog.

This was my original config. It works great individually using http://example.com and https://example.com

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

server_name example.com; # Replace with your domain

root /usr/share/nginx/html;
index index.html index.htm;

client_max_body_size 10G;

location / {
    proxy_pass http://localhost:2368;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering off;
}
}

This is my attempted config to for a redirect from HTTP to HTTPS, but it results in a redirect loop

server {
   listen      80 default_server;
   server_name example.com;
   return      301 https://example.com$request_uri;
}

server {
   listen   443 ssl;
   ssl      on;
   ssl_certificate /etc/nginx/ssl/cert/example.crt;
   ssl_certificate_key /etc/nginx/ssl/private/example.key;
   ssl_session_cache  shared:SSL:10m;
   ssl_session_timeout 5m;
   server_name example.com; # Replace with your domain
   root /usr/share/nginx/html;
   index index.html index.htm;

   client_max_body_size 10G;

    location / {
       proxy_pass http://localhost:2368;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_buffering off;
   }
}

Not entirely sure why its looping.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
fortune
  • 131
  • 1
  • 3
  • 1
    Check your logs. – Xavier Lucas Oct 15 '14 at 22:33
  • Logs show no errors. Access log shows what the browser says, a whole bunch of 301 GET requests. – fortune Oct 15 '14 at 23:18
  • Did you check the intermediate response of your proxy target ? Test using curl, it's possible your browser has cached response headers of the previous setup. – Xavier Lucas Oct 16 '14 at 11:52
  • And also consider the application is redirecting. –  Oct 16 '14 at 17:01
  • I ran curl on by http:// URL and got a 301 permanent redirect, which I would expect. But then I ran it on the https:// URL and got a 301 as well, which I wouldn't expect. – fortune Oct 17 '14 at 00:35
  • I also find that if in my Ghost config.js I change the URL to https://example.com, it will attempt to do a 301. Which results in a redirect loop. Very strange. – fortune Oct 17 '14 at 01:05

4 Answers4

2

I don't have enough rep to add a comment above, but I also experienced this issue and the only way I managed to get around it was to disable CloudFlare for the specific DNS entry, which obviously isn't ideal.

Based on this, it seems like it's an issue with the way CloudFlare is implementing their Universal SSL for DNS entries that already have SSL (with redirects from HTTP to HTTPS) enabled. Also, it doesn't seem like you can disable CloudFlare SSL for specific DNS entries.

Sorry I can't be more helpful, but if I find a solution I'll definitely post it here.

Pascal Brandt
  • 21
  • 2
  • This seems the solution for CloudFlare's SSL + DigitalOcean. In the javascript console, I noticed some javascript errors due to missing files or being unable to retrieve files over HTTP when the site was loaded over HTTPS. – Muhammad Usman Oct 24 '14 at 05:27
  • Not just Digital Ocean. I'm experiencing this after force upgrading on a dissimilar hosting company. It appears I cannot force SSL and must instead honor optional plain HTTP in addition to SSL. A forced 301 as in the question here appears to me what causes this. – editor Feb 04 '15 at 02:40
1

Inspired by Pascal's answer, I tried to modify the connection type between cloudflare and my server from flexible ssl to full ssl. For me it works this way.

In hindsight it seems logical, because with flexible ssl the flow is:

  1. the user connects through ssl to cloudflare
  2. cloudflare connects through plain http to the server
  3. the server issues a redirect as a response
  4. cloudflare forwards the response to the client (the redirect)
  5. rinse and repeat

If I enable full ssl, the redirect doesn't take place anymore, because cloudflare connects to the server through ssl.

Tudor Constantin
  • 111
  • 3
0

I had the same problem and ended up setting both url and urlSSL in Ghost's config.js. This won't force SSL, but if a user reaches the blog through https, setting this will make sure that all future navigation will also be done through https.

Before, if a user clicked on a blog post, and then clicked any other internal link, that link would be served through http, along with all other future requests. Setting the urlSSL property fixes that at least.

url: http://blog.example.com,
urlSSL: https://blog.example.com

References: http://support.ghost.org/config/#ssl

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Austin
  • 1
0

I just ran into this same issue on my ghost instance and talked about it a bit here:

https://stackoverflow.com/questions/40816988/infinite-redirect-nginx/40817660#40817660

It turns out that I had two issues infinite redirect issues [ (┛◉Д◉)┛彡┻━┻ ], one with my server config, and one with my cloud-flare config.

To use SSL with cloud-flare you will need to:

  • Go to the Overview tab > Settings Summary > Click on SSL and change SSL from "Flexible " to "Full (Strict)".
    • This can also be found under Crypto tab > SSL > Click on SSL and change SSL from "Flexible " to "Full (Strict)".

Since you refer to a proxy pass with port 2368 in your vHost it seems logical that you might also be running ghost. (I realize that this is not the only software running on that port.)

  • Check your config.js to ensure that url: is pointed at http and not https.
Community
  • 1
Robert J
  • 231
  • 2
  • 4