400 Bad Request - site works if I bypass cloudflare

So I’ve been trying to get this resolved for a few days and have hit a dead end. Details below.

Web server with Letsencrypt ssl cert installed.
DNS A record points to IP and set to DNS only, bypassing cloudflare
Web server can be reached internally and externally on the listening port tcp.8123 and shows the certificate is installed and chained properly.

DNS is updated to proxied, cloudflare is now inline
Cloudflare throws
400: Bad Request

Website is set to respond on :8443 but from what I read that should work.

Any ideas where to start?

May I ask you to post a screenshot of this error?

Did you enabled or are you using Cloudflare Authenticated Origin Pull maybe?:

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

If so, should be set to Full (Strict) SSL:

True, the 8443 is supported and compatible port with Cloudflare proxy mode :orange: as documented at the link from below:

Are you proxying 8123 internally to external 8443 or?

Ok, here is the screenshot
image

Cloudflare Authenticated Origin Pull

I did not enable and am not using Authenticated Origin Pull.

what SSL option

I have tried flexible, full and full strict

proxying 8123 internally to external 8443

I’m proxying external traffic arriving on 8443 to 8123 internally via NAT rule on premise firewall.

1 Like

Kindly, thank you for sharing screenshot and feedback information.

As far as I remember, this does not look to me like a Cloudflare 400 error, rather it’s coming from the origin host/server.

The Cloudflare 400 looks like below:

1 Like

Suggestions for best way to troubleshoot? If I bypass cloudflare caching and just use it for DNS, the site works. Some incompatibility between cloudflare and site.

Do you see anything from your log files at the origin hosts/Server about that 400 error?

My best guess is something with the network or firewall.

Do you see any blocked requests from Cloudflare?

Furthermore, is Cloudflare “bypassed” at firewall and allowed to connect?

You’d need to check your access/error logs at the origin to understand why it is returning a HTTP 400.

May I ask what are you using for … Apache, Nginx for web server, or something else maybe?

Additionally you can temporary enable the “Pause Cloudflare for this site” option for the moment of troubleshooting.
Or rather, you do not see this error when unproxied :grey: (DNS-only)?

8123 =/= 8443. Does the site respond on 8443 with a valid certificate?

1 Like

Good question, if the cert is …

Do you see any blocked requests from Cloudflare?
Furthermore, is Cloudflare “bypassed” at firewall and allowed to connect?

Firewall shows traffic allowed - for testing I allowed any external ip on wan interface in on port 8443. I can see the traffic passing.

Or rather, you do not see this error when unproxied :grey: (DNS-only)?

Correct - unproxied through cloudlfare works as expected.

May I ask what are you using for … Apache, Nginx for web server, or something else maybe?

This is a Home Assistant instance which is using AIO HTTP - https://docs.aiohttp.org

8123 =/= 8443. Does the site respond on 8443 with a valid certificate?

Yes, when cloudflare is bypassed, the site responds using https over tcp/8443 and presents a valid letsencrypt cert which shows proper chaining and which matched the fqdn.

I am having the same issue as the OP.

I have home assistant setup on port 8123 internally, my firewall has a rule to forward external port 8443 to 8123 internally.

With cloudflare proxy disabled https://my domain.com:8443 works fine externally and pulls up website, but with proxy enabled I get 400 bad request.

I am not familiar, neither have home assistant nor using aiohttp yet :confused:

Maybe it could be related to the ssl_client_verify option or missing support for the SNI (in the SSL certificate) somehow?

Have you tried checking if the origin request is the same? For example if it could have something to do with CORS rules?

Or maybe something with forwarded HTTP headers.

The problem was indeed on the webserver side. Home Assistant has a feature enabled by default checking what IPs are allowed to proxy to the server.

See here for the solution; Securing Home Assistant with Cloudflare

3 Likes

Thank you for sharing this helpful information and useful link!
Could you confirm if this solution does works for you?

@user18972 can you try this too?

Thank you in advance!

Yes, confirmed working for me.

It seems this feature in Home Assistant was added in July last year so still somewhat new, but under core logs, there was an entry for each connection attempt and the IP of the proxy server.

2 Likes

This resolved for me as well

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.