Opened 7 years ago
Closed 7 years ago
#1492 closed defect (invalid)
nginx proxy + cloudflare + https = 403 Forbidden cloudflare-nginx
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | 1.13 |
Component: | other | Version: | 1.13.x |
Keywords: | proxy https 403 cloudflare | Cc: | |
uname -a: | |||
nginx -V: | 1.13.9 |
Description
upstream cloudflareapi.com { server 104.16.69.234:443; server 104.16.68.234:443; server 104.16.70.234:443; server 104.16.71.234:443; } server { listen 80; location /{ proxy_pass_header Server; proxy_pass https://cloudflareapi.com; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; } }
403 Forbidden cloudflare-nginx
I searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~
Change History (5)
comment:2 by , 7 years ago
server { listen 80; location /{ proxy_pass_header Server; proxy_pass https://cloudflareapi.com; proxy_set_header Host "cloudflareapi.com"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; } }
This is fine, but not enough for my load balancing needs.
server { listen 80; location /{ proxy_pass_header Server; proxy_pass https://104.16.19.19; proxy_set_header Host "cloudflareapi.com"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; } }
This does not work either!
sni host != host
I am so skeptical~
comment:3 by , 7 years ago
Replying to f4nff@…:
upstream cloudflareapi.com { server 104.16.19.234:443; server 104.16.18.234:443; server 104.16.10.234:443; server 104.16.11.234:443; } server { listen 80; location /{ proxy_pass_header Server; proxy_pass https://cloudflareapi.com;
proxy_set_header Host "cloudflareapi.com";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
}
}}}
403 Forbidden cloudflare-nginxI searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~
comment:4 by , 7 years ago
Replying to f4nff@…:
upstream cloudflareapi.com { server 104.16.19.234:443; server 104.16.18.234:443; server 104.16.10.234:443; server 104.16.11.234:443; } server { listen 80; location /{ proxy_pass_header Server; proxy_pass https://cloudflareapi.com; proxy_set_header Host "cloudflareapi.com"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; } }403 Forbidden cloudflare-nginxI searched all methods of the Internet and can not fix any area of ipflash proxy cloudflare~
comment:5 by , 7 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Your problem is that the upstream server returns 403. As it's up to upstream server to decide when to return 403, so you may want to contact Cloudflare for support.
Note that configuring proxying to https backends may require some effort. In particular:
- There is no upstream certificate verification by default. You have to use proxy_ssl_verify to switch it on, and configure
proxy_ssl_trusted_certificate
accordingly, as well asproxy_ssl_verify_depth
. - By default nginx doesn't use SNI in connections to backends. To switch it on, use proxy_ssl_server_name.
- The name as used for the
Host
header, SNI, and certificate verification is from theproxy_pass
directive. By using theproxy_set_header
directive you change the header, but not the name used for SNI and certificate verification. The latter name can be changed by the proxy_ssl_name directive.
If you have further questions about configuring nginx, please use the support options available.
This is not work either~!