nginx proxy + cloudflare + https = 403 Forbidden cloudflare-nginx

[f4nff@…]

upstream cloudflareapi.com {
    server 104.16.69.234:443;
    server 104.16.68.234:443;
    server 104.16.70.234:443;
    server 104.16.71.234:443;

}


server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

403 Forbidden
cloudflare-nginx

I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~

[f4nff@…]

upstream cloudflareapi.com {
    server 104.16.19.234:443;
    server 104.16.18.234:443;
    server 104.16.10.234:443;
    server 104.16.11.234:443;

}


server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

This is not work either~!

[f4nff@…]

server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

This is fine, but not enough for my load balancing needs.

		
server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://104.16.19.19;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

This does not work either!

sni host != host
I am so skeptical~

[f4nff@…]

Replying to f4nff@…:

upstream cloudflareapi.com {
	server 104.16.19.234:443;
	server 104.16.18.234:443;
	server 104.16.10.234:443;
	server 104.16.11.234:443;
 
 }
 
 
 server {
         listen      80; 
 
location /{
	proxy_pass_header	Server;
	proxy_pass			https://cloudflareapi.com;
	proxy_set_header	Host "cloudflareapi.com";
	proxy_set_header	X-Real-IP $remote_addr;
	proxy_set_header	X-Scheme $scheme;
		}
	}

403 Forbidden
cloudflare-nginx

I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~

[f4nff@…]

Replying to f4nff@…:

upstream cloudflareapi.com {
    server 104.16.19.234:443;
    server 104.16.18.234:443;
    server 104.16.10.234:443;
    server 104.16.11.234:443;

}


server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

403 Forbidden
cloudflare-nginx

I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~

[Maxim Dounin]

Your problem is that the upstream server returns 403. As it's up to upstream server to decide when to return 403, so you may want to contact Cloudflare for support.

Note that configuring proxying to https backends may require some effort. In particular:

• There is no upstream certificate verification by default. You have to use ​proxy_ssl_verify to switch it on, and configure proxy_ssl_trusted_certificate accordingly, as well as proxy_ssl_verify_depth.
• By default nginx doesn't use SNI in connections to backends. To switch it on, use ​proxy_ssl_server_name.
• The name as used for the Host header, SNI, and certificate verification is from the proxy_pass directive. By using the proxy_set_header directive you change the header, but not the name used for SNI and certificate verification. The latter name can be changed by the ​proxy_ssl_name directive.

If you have further questions about configuring nginx, please use the ​support options available.