HTTP HTTPS SSL Cloudflare OJS -This request has been blocked

(serving mixed HTTP/HTTPS content)
CloudFlare Flexible SSL is active.

PHP Ver. 7.3.4
Windows Server 2012 R2 Standard Edition (IIS)

Error: This request has been blocked; the content must be served over HTTPS.
turning on force_ssl does not do any good because then you get a redirect loop.

This problem has been discussed many times in the forum. . Is There a Definite Solution to This Problem?

1 Like

The problem with Cloudflare’s FlexibleSSL solution and OJS is that the connection between the client and CloudFlare is SSL, but the connection between Cloudflare and the server hosting OJS is not. So, you end up with a situation where, if force_ssl is off, the main page is SSL but internal requests are not. And enabling force_ssl just creates the loop you see.

The ultimate solution is probably to leave force_ssl off and modify page URLs to use relative protocols instead of hardcoded http or https ones. A relative protocol would look like //www.your-journal-com/index.php/journal/$$$call$$$…

There is one place in the OJS codebase that already does this, when LESS CSS files are compiled. Be warned that not all browsers support them, and annoyingly IE 7 and 8 fetch protocol relative resources twice.

There’s a blog post about fixing this same issue for Wordpress, here:


1 Like

Alternatively, and probably more robustly, use a different SSL provider. PKP|PS uses Let’s Encrypt. It’s free, works everywhere, and the only small annoyance is that you need to renew your certificates every 3 months. But you can use a CLI to script the renewal automatically. I’m not sure how that would work with Windows Server.

1 Like

I tried this method, the problem is solved for now. Thank you.

1 Like

This also saved my days of searching, thank you very much