An SSL loop on Cloudflare (often shown as “Too many redirects” or Cloudflare error ERR_TOO_MANY_REDIRECTS) happens when Cloudflare and your origin server keep redirecting each other between HTTP and HTTPS.
Here’s a step-by-step guide to fix it:
Why SSL loops happen
- Visitor → HTTPS → Cloudflare
- Cloudflare → HTTP → origin server
- Origin server → redirects to HTTPS
- Cloudflare repeats step 2 → infinite loop
This is caused by mismatched SSL settings between Cloudflare and your server.
Step 1: Set the correct Cloudflare SSL mode
Go to Cloudflare → SSL/TLS → Overview
Correct setting
- Full (Strict)
Explanation of modes
| Mode | Problem |
|---|---|
| Off | No HTTPS |
| Flexible | Causes SSL loops |
| Full | No certificate validation |
| Full (Strict) | Correct and secure |
Flexible SSL is the most common cause of redirect loops.
Step 2: Install a valid certificate on the origin server
Your server must have a valid certificate if using Full (Strict).
Options:
- Public CA (Let’s Encrypt, DigiCert, etc.)
- Cloudflare Origin Certificate (trusted only by Cloudflare, valid up to 15 years)
Step 3: Fix HTTPS redirects on the origin server
Apache
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Nginx
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}
This ensures redirects happen only if the visitor used HTTP, preventing loops.
Step 4: Let Cloudflare handle HTTPS redirects
- Cloudflare → SSL/TLS → Edge Certificates → Always Use HTTPS
- Remove HTTPS redirects from the server to avoid conflicts
Step 5: WordPress-specific fix
wp-config.php
define('FORCE_SSL_ADMIN', true);
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}
Check that WordPress Address and Site Address use https://.
Step 6: Clear caches
- Purge Cloudflare cache
- Clear browser cache
- Clear server cache if any
Quick Fix Checklist
- Cloudflare SSL mode = Full (Strict)
- Origin server has valid certificate
- No Flexible SSL
- Redirects respect
X-Forwarded-Proto - Cloudflare handles HTTPS redirect
- WordPress URLs set to HTTPS
Verification
curl -I https://example.com
- Should return HTTP 200 or 301 with correct
Location - No repeating redirects
openssl s_client -connect example.com:443 -servername example.com
- Certificate should load without errors
Common causes summary
| Cause | Fix |
|---|---|
| Flexible SSL | Switch to Full (Strict) |
| Origin has no certificate | Install origin certificate |
| Double redirects | Let Cloudflare handle HTTPS |
| WordPress misdetects HTTPS | Fix wp-config.php |
| CDN + server redirect conflict | Respect X-Forwarded-Proto |