If your hosting provider doesn't support Let's Encrypt or custom SSL certificates (common on shared hosting), Cloudflare's Flexible SSL mode lets you serve your site over HTTPS without any origin certificate. Here's how to set it up correctly, based on my experience running DailyWatch on shared LiteSpeed hosting.
How Flexible SSL Works
User <--HTTPS--> Cloudflare <--HTTP--> Your Server
Cloudflare terminates SSL at its edge. The connection between Cloudflare and your origin server is plain HTTP. This means:
- Users see a valid HTTPS padlock
- Your server doesn't need an SSL certificate
- Traffic between Cloudflare and your server is unencrypted
Cloudflare Configuration
- In Cloudflare dashboard, go to SSL/TLS > Overview
- Set encryption mode to Flexible
- Enable Always Use HTTPS under Edge Certificates
- Enable Automatic HTTPS Rewrites
The Redirect Loop Problem
The most common issue with Flexible SSL is an infinite redirect loop. Here's why it happens:
- User requests
https://yoursite.com - Cloudflare proxies to
http://yoursite.com(Flexible mode) - Your
.htaccesshas an HTTPS redirect rule - Server sees HTTP request, redirects to
https:// - Go to step 2. Infinite loop.
The Fix: Check X-Forwarded-Proto
Cloudflare adds an X-Forwarded-Proto header indicating the original protocol. Use this instead of checking the server's protocol directly:
RewriteEngine On
# Only redirect if the ORIGINAL request (to Cloudflare) was HTTP
# X-Forwarded-Proto tells us what the client actually used
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
The key line is %{HTTP:X-Forwarded-Proto} !https. When Cloudflare proxies an HTTPS request, this header is set to "https", so the redirect rule does NOT fire. When a user directly accesses via HTTP (bypassing Cloudflare), both conditions are true and the redirect happens.
PHP-Level Protocol Detection
In your PHP application, detect HTTPS properly:
function isHttps(): bool {
// Check Cloudflare's forwarded proto first
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
return $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https';
}
// Fall back to standard HTTPS detection
return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
|| ($_SERVER['SERVER_PORT'] ?? 0) == 443;
}
function baseUrl(): string {
$protocol = isHttps() ? 'https' : 'http';
return $protocol . '://' . $_SERVER['HTTP_HOST'];
}
Security Headers
Even with Flexible SSL, you should set security headers. Add these to .htaccess:
# Security headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
# HSTS - only if you're committed to HTTPS
# (Cloudflare can handle this at the edge too)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Common Pitfalls
1. Mixed content warnings. Your HTML references http:// resources. Fix by using protocol-relative URLs or always https://:
// Bad
$url = 'http://yoursite.com/assets/style.css';
// Good
$url = '//yoursite.com/assets/style.css';
// Best
$url = '/assets/style.css';
2. Canonical URLs. Always set canonical URLs to https://:
echo '<link rel="canonical" href="https://dailywatch.video' . $_SERVER['REQUEST_URI'] . '">';
3. Sitemap URLs. All URLs in your XML sitemap must use https://.
This configuration has been running stable on dailywatch.video for months. Flexible SSL is not as secure as Full (Strict) mode, but when your hosting doesn't support origin certificates, it's a pragmatic solution that gives users encrypted connections.
Top comments (0)