I don't remember exactly how I eventually solved it, but I looked at the commit history and I found the following main code changes:
I added this portion to web.config:
<!-- Uncomment the setting below if your hosting uses a load balancer. It'll be used to determine whether the current request is HTTPS.-->
<add key="Use_HTTP_CLUSTER_HTTPS" value="true" />
<add key="Use_HTTP_X_FORWARDED_PROTO" value="true" />
<add key="Use_X-ARR-SSL" value="true" />
<add key="Use_HTTP_CF_VISITOR" value="true" />
<!-- Uncomment the setting below if your hosting doesn't use "X-FORWARDED-FOR" header to determine IP address.
In some cases server use other HTTP header. You can specify a custom HTTP header here. For example, CF-Connecting-IP, X-FORWARDED-PROTO, etc-->
<!--<add key="ForwardedHTTPheader" value="CF-Connecting-IP" /> -->
This portion to web.release.config:
<system.webServer>
<!--This rewrite rule is here only because of an infinity loop caused by cloudflare plus ssl on server-->
<!--http://stackoverflow.com/questions/34340318/cloudflare-flexible-ssl-redirect-loop-on-asp-net-website-->
<rewrite xdt:Transform="Insert">
<rules>
<rule name="Redirect to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTP_CF_VISITOR}" pattern="(.*)https(.*)" ignoreCase="true" negate="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
And changed the IsCurrentConnectionSecured() method from WebHelper class to this:
public virtual bool IsCurrentConnectionSecured()
{
bool useSsl = false;
if (IsRequestAvailable(_httpContext))
{
//when your hosting uses a load balancer on their server then the Request.IsSecureConnection is never got set to true
//1. use HTTP_CLUSTER_HTTPS?
if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["Use_HTTP_CLUSTER_HTTPS"]) &&
Convert.ToBoolean(ConfigurationManager.AppSettings["Use_HTTP_CLUSTER_HTTPS"]))
{
useSsl = ServerVariables("HTTP_CLUSTER_HTTPS") == "on";
}
//2. use HTTP_X_FORWARDED_PROTO?
else if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["Use_HTTP_X_FORWARDED_PROTO"]) &&
Convert.ToBoolean(ConfigurationManager.AppSettings["Use_HTTP_X_FORWARDED_PROTO"]))
{
useSsl = string.Equals(ServerVariables("HTTP_X_FORWARDED_PROTO"), "https", StringComparison.OrdinalIgnoreCase);
}
//3. use X-ARR-SSL?
else if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["Use_X-ARR-SSL"]) &&
Convert.ToBoolean(ConfigurationManager.AppSettings["Use_X-ARR-SSL"]))
{
useSsl = !string.IsNullOrWhiteSpace(ServerVariables("X-ARR-SSL"));
}
//4. use HTTP_CF_VISITOR?
else if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["Use_HTTP_CF_VISITOR"]) &&
Convert.ToBoolean(ConfigurationManager.AppSettings["Use_HTTP_CF_VISITOR"]))
{
useSsl = !string.IsNullOrWhiteSpace(ServerVariables("HTTP_CF_VISITOR"))
&& ServerVariables("HTTP_CF_VISITOR").ToLower().Contains("https");
}
else
{
useSsl = _httpContext.Request.IsSecureConnection;
}
}
return useSsl;
}
I don't know if everything is necessary, but I'm almost sure it was the web.release.config that did the trick.
Hope this helps.