CloudFlare will not let me serve only HTTPS, it works only if I serve HTTP along with HTTPS

I have set up a simple server to test my TLS certificate, the TLS part works fine. I have my DNS through CloudFlare.

I would like the website to remain anonymous so I just changed the domain to "example.com".

Here is the code for the simple server:

package main

import (
	"log"
	"net/http"
)

var hostname = "example.com"

var key = "/srv/ssl/" + hostname + "-2017.03.20.key"
var cert = "/srv/ssl/ssl-bundle.crt"

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		w.Write([]byte("TLS test"))
	})
	// go serveHTTP()
	// go redirectHTTP()
	serveHTTPS()
}

func serveHTTP() {
	if err := http.ListenAndServe(":80", nil); err != nil {
		log.Fatalf("ListenAndServe error: %v", err)
	}
}

func redirectHTTP() {
	err := http.ListenAndServe(":80", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		http.Redirect(w, r, "https://"+hostname+r.RequestURI, http.StatusMovedPermanently)
	}))
	if err != nil {
		log.Fatalf("ListenAndServe error: %v", err)
	}
}

func serveHTTPS() {
	log.Fatal(http.ListenAndServeTLS(":443", cert, key, nil))
}

Now if I run the server like this, and go to https://example.com then it does not work.

But if I change the part that lets me serve HTTP to this:

go serveHTTP()
// go redirectHTTP()
serveHTTPS()

Then suddenly both HTTP and HTTPS works. So if I go to my site by typing in http://example.com, and https://example.com, both works fine.

If I comment out go serveHTTP() and try to redirect HTTP to HTTPS like this:

// go serveHTTP()
go redirectHTTP()
serveHTTPS()

Then I get this on my screen:

If I change back to this:

// go serveHTTP()
// go redirectHTTP()
serveHTTPS()

And access the page not through the domain name, but though the ip address, I ofcourse get a warning because the certificate is not issued to the ip address, but the domain name I use.

If I persist by clicking advanced and adding exception then it works.

So actually it is being served at port 443, but trying to access the page through the domain name, that lets it go through CloudFlare DNS, then it does not work.

Even if I only use CloudFlare as "DNS only" it still does not matter:

Or if I change to proxy, still the same:

I have turned off cache and I use developer mode so that I should get "real time responses" from my server.

So to summerize, since I have my DNS through CloudFlare, CloudFlare does not let me serve HTTPS, without HTTP. I need both HTTP and HTTPS without HTTP redirect. This is really weird and I have no idea how to fix this. The server serves through 443 because as I showed if I try to access the page through the IP address and add security exception, the page is actually being served.

What can I do?

When Cloudflare is set to Flexible SSL mode, the connection to the origin will always be over HTTP (not HTTPS).

From Cloudflare KB:

> You don't need to have an SSL certificate on your web server, but
> your visitors still see the site as being HTTPS enabled. This option
> is not recommended if you have any sensitive information on your
> website. This setting will only work for port 443->80, not for the
> other ports we support like 2053. It should only be used as a last
> resort if you are not able to setup SSL on your own web server, but it
> is less secure than any other option (even “Off”), and could even
> cause you trouble when you decide to switch away from it: How do I fix
> the infinite redirect loop...

In order to change this, go to the Crypto tab in the Cloudflare dashboard and in the SSL option change "Flexible" to "Full (Strict)" (or "Full" if you're using a self-signed cert).