400 Bad Request - site works if I bypass cloudflare

So I’ve been trying to get this resolved for a few days and have hit a dead end. Details below.

Web server with Letsencrypt ssl cert installed.
DNS A record points to IP and set to DNS only, bypassing cloudflare
Web server can be reached internally and externally on the listening port tcp.8123 and shows the certificate is installed and chained properly.

DNS is updated to proxied, cloudflare is now inline
Cloudflare throws
400: Bad Request

Website is set to respond on :8443 but from what I read that should work.

Any ideas where to start?

May I ask you to post a screenshot of this error?

Did you enabled or are you using Cloudflare Authenticated Origin Pull maybe?:

• https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

If so, should be set to Full (Strict) SSL:

True, the 8443 is supported and compatible port with Cloudflare proxy mode as documented at the link from below:

• https://developers.cloudflare.com/fundamentals/get-started/network-ports

Are you proxying 8123 internally to external 8443 or?

Ok, here is the screenshot

Cloudflare Authenticated Origin Pull

I did not enable and am not using Authenticated Origin Pull.

what SSL option

I have tried flexible, full and full strict

proxying 8123 internally to external 8443

I’m proxying external traffic arriving on 8443 to 8123 internally via NAT rule on premise firewall.

Kindly, thank you for sharing screenshot and feedback information.

As far as I remember, this does not look to me like a Cloudflare 400 error, rather it’s coming from the origin host/server.

The Cloudflare 400 looks like below:

cloudflare_4001364×631 4.78 KB

Suggestions for best way to troubleshoot? If I bypass cloudflare caching and just use it for DNS, the site works. Some incompatibility between cloudflare and site.

Do you see anything from your log files at the origin hosts/Server about that 400 error?

My best guess is something with the network or firewall.

Do you see any blocked requests from Cloudflare?

Furthermore, is Cloudflare “bypassed” at firewall and allowed to connect?

• https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

• https://www.cloudflare.com/ips/

You’d need to check your access/error logs at the origin to understand why it is returning a HTTP 400.

May I ask what are you using for … Apache, Nginx for web server, or something else maybe?

Additionally you can temporary enable the “Pause Cloudflare for this site” option for the moment of troubleshooting.
Or rather, you do not see this error when unproxied (DNS-only)?

8123 =/= 8443. Does the site respond on 8443 with a valid certificate?

Good question, if the cert is …

Do you see any blocked requests from Cloudflare?
Furthermore, is Cloudflare “bypassed” at firewall and allowed to connect?

Firewall shows traffic allowed - for testing I allowed any external ip on wan interface in on port 8443. I can see the traffic passing.

Or rather, you do not see this error when unproxied (DNS-only)?

Correct - unproxied through cloudlfare works as expected.

May I ask what are you using for … Apache, Nginx for web server, or something else maybe?

This is a Home Assistant instance which is using AIO HTTP - https://docs.aiohttp.org

8123 =/= 8443. Does the site respond on 8443 with a valid certificate?

Yes, when cloudflare is bypassed, the site responds using https over tcp/8443 and presents a valid letsencrypt cert which shows proper chaining and which matched the fqdn.