Introduction

A Cloudflare forwarding rule can look correct in isolation and still create a loop once the request reaches the origin. The common pattern is that Cloudflare redirects to one hostname or scheme while the application, load balancer, or web server redirects right back. The fix is to map the full redirect chain and keep only one authoritative rule for each hostname transition.

Symptoms

  • Browsers show ERR_TOO_MANY_REDIRECTS
  • The loop appears only after enabling a Cloudflare forwarding or redirect rule
  • Direct origin testing behaves differently from the proxied hostname
  • HTTP and HTTPS keep bouncing between each other
  • www and non-www hostnames keep redirecting back and forth

Common Causes

  • A Cloudflare forwarding rule duplicates an origin redirect
  • Old Page Rules and newer Redirect Rules both match the same request
  • The origin forces one hostname while Cloudflare forwards to another
  • Flexible or mismatched SSL mode creates scheme confusion
  • Broad wildcard matching catches traffic that should not be redirected

Step-by-Step Fix

  1. Test the failing URL with redirect inspection so you can see each hop instead of guessing which layer is looping.
  2. Review all Cloudflare redirect logic that could match the request, including Page Rules, Redirect Rules, and bulk redirects if used.
  3. Check the origin web server, application, and CMS for their own canonical host or HTTPS redirects.
  4. Confirm Cloudflare SSL mode matches how the origin actually handles HTTPS so scheme upgrades do not bounce unexpectedly.
  5. Temporarily disable the most suspicious Cloudflare redirect rule and test again to isolate whether Cloudflare or the origin starts the loop.
  6. Keep only one canonical redirect owner for each behavior, such as HTTP to HTTPS or non-www to www, rather than splitting it across layers.
  7. Narrow wildcard patterns so redirects apply only to the hostnames and paths you intended.
  8. Re-test both proxied and direct-origin behavior after the change to confirm the loop is gone and the final destination is stable.
  9. Document the redirect ownership clearly so later DNS, SSL, or app changes do not recreate the same loop.