Cloudflare SSL/TLS setting for an encrypted connection to upstream

I was helping a friend set up a new website and hit a problem where the website was in an infinite redirect loop:

I could see this in curl quite easily:

$ curl -I https://myfriendswebsite.example.com/
HTTP/1.1 301 Moved Permanently
Location: https://myfriendswebsite.example.com/

To debug, we turned off Cloudflare by setting the Proxy status on the DNS record in Cloudflare’s admin to “DNS only” and the problem went away.

Further investigation led to the SSL/TLS setting in Cloudflare. When my friend had set this up, they had chosen the Flexible encryption mode, possibly as this sounded like the right choice. (Though I wonder why they didn’t leave it on automatic?)

With Flexible encryption mode, Cloudflare accepts an SSL connection and then uses an non-SSL connection to our server where the website is hosted (http://myfriendswebsite.example.com/). Our server has an SSL certificate set-up and an nginx rule that noted that the request was not encrypted and so returned a 301 redirect to the secure url (https://myfriendswebsite.example.com/). The browser redirected back to the SSL URL which went to Cloudflare, which made a non-SSL connection to the web server and we enter the loop.

The fix is simple: Set the Cloudflare encryption mode to Full (Strict) if you have your own SSL certificate on the upstream server.

Alternatively, don’t mess with this setting, leave it on Automatic and let Cloudflare sort it out, though this runs the risk that you’ll have a non-SSL connection between Cloudflare and your web server if you’ve misconfigured your web server. Personally, I prefer Full (Strict), so that there’s a failure if my web server is no longer serving encrypted traffic to Cloudflare with a valid certificate.