Cloudflare: SSL settings

[chadwcarlson]

Where on docs.platform.sh should be changed?

• https://docs.platform.sh/domains/cdn/cloudflare.html#2-set-up-your-cloudflare-cdn
• https://docs.platform.sh/domains/troubleshoot.html#verify-ssltls-encryption
• And maybe a link to https://docs.platform.sh/domains/steps.html

What exactly should be updated?

• Full and Full (strict) work on Platform.sh
• Off and Flexible (default) result in infinite redirects

SSL/TLS fails to provision when adding a custom domain to a project with Cloudflare configured.

It works iff, on the CloudFlare side, SSL/TLS encryption is set to full.

This is relevant during Pantheon migrations, where Pantheon has an option for "Full strict".

Additional context

No response

[nlighteneddesign]

Might be worth noting that if you have flexible or off set then the browser will say there are too many redirects happening. I suspect Cloudflare is requesting http and when platform redirects Cloudflare is redirecting back to http.

[nlighteneddesign]

I just tested, both Full and Full (strict) work on platformsh Off and Flexible result in infinite redirects.

[ErriteEpticRikez]

In some cases, when a user transfers from one provider to another and decides to stay with Cloudflare as their CDN of choice, it can cause some issues if older SSL settings are still being used.

The biggest example is if the Flexible encryption mode is enabled (as @nlighteneddesign said previously). It can cause a redirect loop when CloudFlare tries to reach to the origin via HTTP. By default, all routes create a redirect for HTTP to HTTPS. The issue will persist unless the user changes the encryption mode to full.

In Platform.sh support land we see this occasionally, but with upsun this could become more common. Can we try maybe adding more documentation to the Set up your Cloudflare CDN or somewhere more appropriate customers can find this solution? Maybe add a section for Too Many Redirect Errors?