Opened 7 years ago

Closed 7 years ago

#1492 closed defect (invalid)

nginx proxy + cloudflare + https = 403 Forbidden cloudflare-nginx

Reported by: f4nff@… Owned by:
Priority: minor Milestone: 1.13
Component: other Version: 1.13.x
Keywords: proxy https 403 cloudflare Cc:
uname -a:
nginx -V: 1.13.9

Description

upstream cloudflareapi.com {
    server 104.16.69.234:443;
    server 104.16.68.234:443;
    server 104.16.70.234:443;
    server 104.16.71.234:443;

}


server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }
403 Forbidden
cloudflare-nginx

I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~

Change History (5)

comment:1 by f4nff@…, 7 years ago

upstream cloudflareapi.com {
    server 104.16.69.234:443;
    server 104.16.68.234:443;
    server 104.16.70.234:443;
    server 104.16.71.234:443;

}


server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

This is not work either~!

Version 0, edited 7 years ago by f4nff@… (next)

comment:2 by f4nff@…, 7 years ago

server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

This is fine, but not enough for my load balancing needs.

		
server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://104.16.19.19;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }

This does not work either!

sni host != host
I am so skeptical~

in reply to:  description comment:3 by f4nff@…, 7 years ago

Replying to f4nff@…:

upstream cloudflareapi.com {
	server 104.16.19.234:443;
	server 104.16.18.234:443;
	server 104.16.10.234:443;
	server 104.16.11.234:443;
 
 }
 
 
 server {
         listen      80; 
 
location /{
	proxy_pass_header	Server;
	proxy_pass			https://cloudflareapi.com;
	proxy_set_header	Host "cloudflareapi.com";
	proxy_set_header	X-Real-IP $remote_addr;
	proxy_set_header	X-Scheme $scheme;
		}
	}

403 Forbidden
cloudflare-nginx

I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~

Last edited 7 years ago by f4nff@… (previous) (diff)

in reply to:  description comment:4 by f4nff@…, 7 years ago

Replying to f4nff@…:

upstream cloudflareapi.com {
    server 104.16.19.234:443;
    server 104.16.18.234:443;
    server 104.16.10.234:443;
    server 104.16.11.234:443;

}


server {
        listen      80;



 location /{
    proxy_pass_header Server;
    proxy_pass     https://cloudflareapi.com;
	proxy_set_header Host "cloudflareapi.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
        }
    }
403 Forbidden
cloudflare-nginx

I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~

comment:5 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

Your problem is that the upstream server returns 403. As it's up to upstream server to decide when to return 403, so you may want to contact Cloudflare for support.

Note that configuring proxying to https backends may require some effort. In particular:

  • There is no upstream certificate verification by default. You have to use proxy_ssl_verify to switch it on, and configure proxy_ssl_trusted_certificate accordingly, as well as proxy_ssl_verify_depth.
  • By default nginx doesn't use SNI in connections to backends. To switch it on, use proxy_ssl_server_name.
  • The name as used for the Host header, SNI, and certificate verification is from the proxy_pass directive. By using the proxy_set_header directive you change the header, but not the name used for SNI and certificate verification. The latter name can be changed by the proxy_ssl_name directive.

If you have further questions about configuring nginx, please use the support options available.

Note: See TracTickets for help on using tickets.