400 Bad Request from Pingora in Websocket connection

Hey!

I had been running Headscale (Open-Source Tailscale control server) behind Cloudflare successfully for multiple months. It uses the HTTP/2 based Noise protocol, upgraded using a “Connection: Upgrade” request (like a websocket). Recently (since around the 24th I’d say) the connection through Cloudflare no longer succeeds. From multiple user reports, this is consistent for multiple people and due to Cloudflare as it is resolved by turning off proxying by CF.

The “101 switching protocols” response is received by the client, and a few Noise packets are exchanged, but on one request from the client the response contains the following error from Pingora (according to marketing material, the internal Rust proxy of Cloudflare).

HTTP/1.1 400 Bad Request
Server: Pingora
Date: Sun, 27 Aug 2023 15:11:20 GMT
Content-Length: 0
Cache-Control: private, no-store
Connection: close

image

I would love for this to be looked into as I now had to move my Headscale instance outside of CF :slight_smile:

1 Like

my guess https://github.com/juanfont/headscale/issues/1468
tldr: headscale uses POST requests. Cloudflare doesn’t like POST in websocket requests since a week ago
similar thread: https://community.cloudflare.com/t/400-bad-request-when-cloudflare-proxy-enabled/547713/9

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.