By Tilak Sasmal — Thu Jun 11 2026
3 min read
Getting locked out of your website by an infinite redirect loop is incredibly frustrating. Seeing the "Too Many Redirects" error page can feel like a dead end when you are ready to publish new content. In this guide, you will learn why this error happens when combining Cloudflare with Ghost CMS and see exactly how to fix it in five minutes.
Integrating a content delivery network is a standard step for Ghost blog optimization, but configuration errors will crash your site. The problem happens when Cloudflare and Nginx have mismatching SSL settings. If Cloudflare expects secure traffic but Nginx answers with unsecure protocols, your site will loop infinitely.
This behavior usually triggers when your Cloudflare SSL mode is set to "Flexible." Flexible SSL encrypts traffic from the visitor to Cloudflare but sends unencrypted HTTP traffic to your host. Since Ghost forces secure HTTPS connections, it rejects the unencrypted traffic and sends a redirect response, starting the loop.
To stop the redirect loop on your self-hosted site, you must update your Cloudflare encryption settings. If you are completing a self-hosted Ghost migration or general Ghost migrate task, changing your Cloudflare SSL setting to "Full (Strict)" resolves security handshake conflicts. This tells Cloudflare to encrypt requests all the way to your origin server, satisfying Ghost's security requirements.
Before switching to Full (Strict), verify that your Nginx server has an active Let's Encrypt certificate installed. This configuration guarantees that encrypted traffic flows correctly through the proxy to the backend. It also ensures web browsers load your site securely without security warnings.
If you are running your application via a Ghost Docker migration, Nginx must pass headers to let Ghost know the incoming connection is secure. Docker (a containerization tool that packages software into virtual environments) isolates the Ghost service, making it unaware of Cloudflare's SSL proxy layer. Without these headers (metadata sent along with HTTP requests to provide context to the server), Ghost assumes the connection is unsecure.
Add the following lines to your Nginx location block to forward the correct headers into your container:
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
These parameters let Ghost know that Cloudflare successfully handled the SSL handshake. Once Nginx passes these variables, Ghost stops sending redirect instructions to your visitors.
When you transfer Ghost blog to new host servers, ensuring your proxy configurations match is essential to prevent downtime. Copying database files without setting up your SSL keys on the new server will trigger redirect errors. Always verify that your new server is ready to handle HTTPS requests before routing live domain traffic.
Check the table below to see how different Cloudflare SSL configurations behave on your server.
| Cloudflare SSL Mode | Browser to Cloudflare | Cloudflare to Origin Server | Origin SSL Requirement |
| Flexible SSL | Encrypted (HTTPS) | Unencrypted (HTTP) | None (Triggers Ghost redirect loop) |
| Full SSL | Encrypted (HTTPS) | Encrypted (HTTPS) | Self-signed certificate allowed |
| Full (Strict) SSL | Encrypted (HTTPS) | Encrypted (HTTPS) | Valid CA certificate required (Recommended) |
Self-hosting Ghost behind a proxy requires you to configure and manage Nginx, SSL certificates, and Cloudflare rules manually. If you prefer to avoid editing server blocks, conducting a Ghost hosting comparison highlights simpler hosting options. Selecting managed Ghost hosting platforms offloads SSL certificate management to the hosting provider.
For writers who want to avoid reverse proxy errors entirely, executing a Ghost to Typetale migration or moving from Ghost(Pro) to Typetale is a great path forward. Typetale integrates edge caching and automated SSL configuration into the platform. This lets you connect custom domains instantly without touching server code or Nginx files. Below is a comparison to help you find the best managed Ghost hosting setup or alternative.
Cloudflare SSL redirect loops are easy to fix once you understand the handshake protocol between Nginx and the edge proxy. Always set your Cloudflare mode to Full (Strict) and ensure your Nginx server block forwards the secure protocol header.
If managing server security and proxy configs consumes too much of your time, choosing an automated platform like Typetale lets you focus on publishing.
An end-to-end secure SSL connection protects your readers and stops loop errors before they start.