I think you might be misunderstanding a few key concepts regarding rewrite vs. redirect and how they apply to HTTP vs HTTPS.
Firstly, you can’t rewrite HTTP to HTTPS. Scheme is independent of the resource served by Caddy. To serve HTTPS, the client must make the connection via HTTPS. Rewriting is very different from redirection.
What a redirection does, is when someone connects to Caddy via HTTP, Caddy says “Nope, go away and come back via HTTPS.” CloudFlare doesn’t want to come back via HTTPS, so it keeps trying HTTP, ad nauseum. You will not be able to redirect CloudFlare from HTTP to HTTPS.
I repeat, if you want CloudFlare to access your HTTPS site, you must:
- Configure CloudFlare to access your site via HTTPS, OR;
- Configure your site to allow CloudFlare to access HTTP without being redirected
Secondly, I would not suggest the use of X-Forwarded-Proto. It’s not unique to CloudFlare, which is what you want to test for and why I suggested the CF-Connecting-IP header.
Thirdly, a duplicated vhost setup would have to look something like this:
http://*.mydomain.com {
...
redir 301 {
if {>CF-Connecting-IP} not_has .
/ https://{host}{uri}
}
}
https://*.mydomain.com {
...
}
Ninja edit: corrected if statement from has to not_has as we want to redirect only when the client is NOT CloudFlare. There may be a better way to test but this is just a quick suggestion that should work.