Cloudflare redirect loop

Runbook for a Cloudflare-fronted site that redirect-loops (ERR_TOO_MANY_REDIRECTS) — almost always SSL mode set to flexible. Diagnose and fix the zone's SSL mode.

Symptom: A Cloudflare-fronted site (e.g. super-ht.com) won’t load — browser shows ERR_TOO_MANY_REDIRECTS or an endless HTTPS redirect.

Likely cause

SSL/TLS mode set to flexible. In flexible mode Cloudflare speaks HTTPS to the visitor but plain HTTP to the origin. If the origin (WordPress, in the super-ht.com case) is configured to force HTTPS, it redirects back to HTTPS — which Cloudflare serves over HTTP to the origin again — and the loop never resolves. This is the single most common cause.

Diagnose

Get the zone ID, then read the SSL mode:

cf_get_zone(params={"domain": "super-ht.com"})
cf_get_ssl_mode(params={"zone_id": "<zone id>"})

If value is flexible and the origin forces HTTPS, that’s the loop.

Fix

Switch the zone to full (origin cert may be self-signed) or strict (origin cert must be valid/trusted):

cf_set_ssl_mode(params={"zone_id": "<zone id>", "mode": "full"})

Use strict when the origin has a valid certificate — it’s the stronger setting. If the loop persists after switching, also check for an origin-side “always redirect to HTTPS” rule fighting a Cloudflare always_use_https setting.

Verify

Re-read the mode and load the site:

cf_get_ssl_mode(params={"zone_id": "<zone id>"})
fetch_url(url="https://super-ht.com", max_bytes=2000)

A 200 (or a single, terminating redirect) means the loop is gone. If you changed cache-affecting settings, a cf_purge_cache may be needed before the fix is visible.

  • cloudflarecf_* SSL, DNS, and cache tools (note the params wrapper)
  • Service Map — the Cloudflare edge and the corporate WordPress site
  • Hosts — public hostnames in the SuperHiTech orbit