CD
Cloudflare Developers10mo ago
YourByte.AI Developer

Proxied DNS blocks server connections.

Excuse me if I don't understand something I am new to networking and security, I will try my best to explain the issue. I'm currently working on a web application that requires a server backend. To avoid using the server's IPv4 address directly, I've set up a DNS A record to use a hostname instead. Everything works perfectly when the DNS setting is on 'DNS Only' mode. However, when I switch to 'Proxied' mode, I start encountering issues where I can no longer connect to the server, and I receive '400 Bad Request' errors. I've experimented with various Cloudflare settings to resolve this issue but haven't had any success so far. Here are some of the things I've tried: 1. Turning off Cloudflare SSL/TLS. 2. Setting up various Cloudflare WAF settings to try unblock connections to the hostname. 3. Switching between Argo Tunnel and DNS Records. I'm reaching out to see if anyone has encountered a similar issue or has any suggestions on what else I can try to resolve this problem. Any advice or guidance would be greatly appreciated. Thank you!
24 Replies
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
Have you checked your origin server? It might be that it isn't handling something correctly
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
I created and tried to use 'Origin Certificate' on my hostname and server but it didn't help, Would it be beneficial If I shared the python server and client code I am using to diagnose if It's a code related issue?
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
Yeah. Does it show any errors? I'm guessing that the error is coming from the server
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
The same '400 bad request' error, I will grab the code 1 minute
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
No, I meant the server log
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
By server log you mean the full '400 request error' or something specific within CloudFlare?
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
The logs from your server(the python code). Not on Cloudflare
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
Received: HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Mon, 12 Feb 2024 08:03:05 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
Received: HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Mon, 12 Feb 2024 08:03:05 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
CF-RAY: -

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
This is what I receive, Without the 'Proxied DNS' I get a "Hello World" It's a very short python script I am testing this on, I can post it incase there is a method to include the certificate that I am not aware of.
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
Is that what your server is logging? Your server shouldn't be logging a response
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
That is what the client is receiving from the server, the server doesn't print anything. Here are the scripts for context: server.py 
import socket
import ssl
import os

HOST, PORT = '0.0.0.0', 2053

certfile_path = os.path.expanduser('~/Projects/Test-cf/cert/origin_cert.pem')
keyfile_path = os.path.expanduser('~/Projects/Test-cf/cert/private_key.key')

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((HOST, PORT))
sock.listen(1)

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=certfile_path, keyfile=keyfile_path)

wrappedSocket = context.wrap_socket(sock, server_side=True)

print(f'Server is running on {HOST}:{PORT}...')

while True:
    try:
        client_socket, address = wrappedSocket.accept()
        print(f'Connection from {address}')
        
        try:
            data = client_socket.recv(1024)
            print(f'Received: {data.decode("utf-8")}')
            if data:
                response = 'Hello World'
                client_socket.sendall(response.encode('utf-8'))
        finally:
            client_socket.close()
    except Exception as e:
        print(f'An error occurred: {e}')

wrappedSocket.close()
import socket
import ssl
import os

HOST, PORT = '0.0.0.0', 2053

certfile_path = os.path.expanduser('~/Projects/Test-cf/cert/origin_cert.pem')
keyfile_path = os.path.expanduser('~/Projects/Test-cf/cert/private_key.key')

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((HOST, PORT))
sock.listen(1)

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile=certfile_path, keyfile=keyfile_path)

wrappedSocket = context.wrap_socket(sock, server_side=True)

print(f'Server is running on {HOST}:{PORT}...')

while True:
    try:
        client_socket, address = wrappedSocket.accept()
        print(f'Connection from {address}')
        
        try:
            data = client_socket.recv(1024)
            print(f'Received: {data.decode("utf-8")}')
            if data:
                response = 'Hello World'
                client_socket.sendall(response.encode('utf-8'))
        finally:
            client_socket.close()
    except Exception as e:
        print(f'An error occurred: {e}')

wrappedSocket.close()
client.py 
import socket
import ssl

HOST, PORT = 'tunnel.domain.com', 2053 #'tunnel.domain.com' is a placeholder for my domain

ca_cert_path = 'cert/origin_cert.pem'

context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)

context.load_verify_locations(ca_cert_path)

context.check_hostname = True

with socket.create_connection((HOST, PORT)) as sock:
    with context.wrap_socket(sock, server_hostname=HOST) as ssock:
        # Send data
        ssock.sendall(b"ping")
        
        response = ssock.recv(1024)
        print(f"Received: {response.decode('utf-8')}")
import socket
import ssl

HOST, PORT = 'tunnel.domain.com', 2053 #'tunnel.domain.com' is a placeholder for my domain

ca_cert_path = 'cert/origin_cert.pem'

context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)

context.load_verify_locations(ca_cert_path)

context.check_hostname = True

with socket.create_connection((HOST, PORT)) as sock:
    with context.wrap_socket(sock, server_hostname=HOST) as ssock:
        # Send data
        ssock.sendall(b"ping")
        
        response = ssock.recv(1024)
        print(f"Received: {response.decode('utf-8')}")
I am unsure if my method of including the certification is correct, I had copied 'Origin Certificate' and the 'Private Key' into a text file and changed the file into .pem and .key Oh it's not even reaching the server, I get no prints from the server at all so CloudFlare is blocking the access.
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
Just to check, since I'm not that well versed in Python, but this appears to be opening a TCP Socket, no?
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
Yes
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
Yeah, that's probably the issue. Your setup on Cloudflare is set for HTTP, not TCP You can set up TCP connections, but that requires Spectrum Which is probably not what you want, since it is pretty expensive
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
I am trying to locate 'CloudFlare Spectrum', It's not showing up on my account dashboard
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
https://dash.cloudflare.com/?to=/:account/:zone/spectrum, it requires a Paid Plan Though again, I wouldn't recommend it for a small project
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
I had just converted the python script to an http protocol, Same '400 Bad Request' issue 😢 Spectrum won't solve the issue
No description
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
Ok, so you are running without a Tunnel. Just to be clear, what URL are you attempting to hit? I'm going to guess http://your.domain.com:443/ ? Or something similar?
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
With tunnel. direct IPv4 works fine but switching to the tunnel URL gets blocked by CloudFlare Yes
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
http with port 443?
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
http://tunnel.domain.com:2053 ('domain.com' is a placeholder)
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
What happens if you just do http://tunnel.domain.com/ ? It appears that it expects 2053 to be over HTTPS, but you are forcing it to try HTTP, causing it to error
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
Unfortunately I am unable to start an http website on port 80 for some reason, Also I have to go to my day job. Thank you for trying to help me! When I will come back I will try to solve the issue and post the solution 💪 .
Hello, I’m Allie!
Hello, I’m Allie!10mo ago
The port on your server doesn't matter as much if you are using Tunnels. You can point the Tunnel at the port, then it will automatically be translated to port 80 and 443
YourByte.AI Developer
YourByte.AI DeveloperOP10mo ago
I am back. I have created an HTTP website on port 80, but I am still getting the connection blocked by CloudFlare. Maybe I don't know how to configure my CloudFlare settings correctly. I tried an alternative service and successfully created a reverse proxy for my server. I will continue using CloudFlare for the website and configure the server backend using the alternative service. @HardlyWorkin' Thank you for your time and effort in trying to help me. 🙏🙏🙏
Want results from more Discord servers?
Add your server