Running into something strange w
Running into something strange w/ Cloudflare Tunnels... I have quite a few setup and working fine, but noticed in one case a path was redirecting with 303 status code, causing an image not to load. I looked into what was happening -
1) I have a tunnel for a site "domain.com/site-1" path
2) I have another tunnel for site "domain.com/site-2" path
3) Both are pointed at different servers
4) When a URL is encountered like so - "domain.com/site-1/something/site-2/else" is when a 303 redirect happens to "domain.com/site-2/site-1/something/site-2/else"
Not sure why this is occuring, I have other tunnels with exact same setup (path contained) but they don't do the redirect... It seems like there is a redirect rule or something in play, but I checked the redirect rules and bulk redirect and nothing is there. I can access the server in question directly / locally and no redirect happens. So it seems to be something Cloudflare is doing, but not sure how to know why.
7 Replies
Are you able to share a screenshot of your tunnel configuration? I suspect since the URL contains both
site-1
and site-2
it may be routing to the wrong one? The path setup is a bit tricky so want to double check yours and compare it with what I know should workJust to update.... I did another test where I use domain.com/some-random-path/site-1/resource, and it still does a 303 to domain.com/site-1/some-random-path/site-1/resource So, it seems like the redirect must be coming from somewhere besides the tunnels?
If I go to just domain.com/some-random-path/resource, then it correctly falls through to the 404 at bottom of unmatched tunnels
Mmm, so update... it seems like the Redirect is actually caused by the server software. However, the reason it happens is because when you have any tunnel path name further along in your URL, it directs traffic to that tunnel. Even though there's no wildcard in play. So if I have my tunnel set to "domain.com/site-1" any URL that has "domain.com/something/site-1/resource" is going to actually make the request to the "site-1" tunnel.
I don't really see documentation calling out this issue, and I believe it could be a security concern as well. Since you can have a tunnel setup as "/site-1" path and an Application setup under Access for security, also set to "/site-1", but it won't block requests via "domain.com/something/site-1". Even though in both cases the paths are identically set, the tunnel setup silently allows wildcard in the path leading up to "site-1"
@armoredcavalry Can you try setting them both to
^/site-1
and ^/site-2
What the dash doesnt make clear is that regex patterns are acceptedfor one of mine i resolved it with this
@Erisa | Support Engineer - that seemed to work, thank you! However, I would still say this should be updated in the UI, as it doesn't imply anywhere that is a RegEx field. In fact, I'd say it kinda implies the opposite by showing {hostname} "/" {path} in the UI. I had always assumed it specifically only routed requests where the path started with that value.
In my case, not really a big deal, but could definitely see it being a security concern in cases where users have a matching value in path for tunnel + access, but it doesn't behave the same.
I agree, I will try and surface that concern with the right team
Thanks! Just wouldn't want anyone getting burned, thinking they had something secured when it is not.