401 error if I enable proxy for my A record

Hi community,

Cloudflare would return a 401 (Authorization Required) if I enable proxy for my A record. However if I turn off proxy, I’m able to connect to my server. Therefore I believe that this is a problem on Cloudflare’s side rather than on my server’s side. Please advise what I can do to workaround the 401 error.

This is the exact settings when I turn on proxy for my A record:

Type: A
Name: rfberlin.com
IPv4 address: 77.163.207.211
Proxy status: On

I would have a 401 error:

$ curl -vvvk  https://rfberlin.com/

*   Trying 188.114.97.0:443...
* Connected to rfberlin.com (188.114.97.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=rfberlin.com
*  start date: Apr 27 00:00:00 2022 GMT
*  expire date: Apr 27 23:59:59 2023 GMT
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe3a180da00)
> GET / HTTP/2
> Host: rfberlin.com
> user-agent: curl/7.79.1
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 401
< date: Fri, 15 Jul 2022 15:05:26 GMT
< content-type: text/html; charset=UTF-8
< content-length: 172
< cf-ray: 72b365741b4fb73a-AMS
< www-authenticate: Basic realm="restricted"
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< ki-cache-type: None
< ki-cf-cache-status: BYPASS
< ki-edge: v=17.6
< x-content-type-options: nosniff
< x-edge-location-klb: 1
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zsgGxU8NdD73%2B7pKTc10zDPyqEEwJaq62usVQakcnf%2BvUFQizMnXpEkfdpSesvc56TNpWDm8ScccFjmIz29hXFbM7nb7uu2Ypyx5HIgJwSQLZtodUz43ZQJ381ar4Q%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host rfberlin.com left intact

If I turn off proxy:

Type: A
Name: rfberlin.com
IPv4 address: 77.163.207.211
Proxy status: On

The connection succeeds (301 is expected):

$ curl -vvvk https://rfberlin.com/

*   Trying 77.163.207.211:443...
* Connected to rfberlin.com (77.163.207.211) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  start date: Jul 10 00:58:26 2021 GMT
*  expire date: Jul 10 00:58:26 2022 GMT
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: rfberlin.com
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0 (Ubuntu)
< Date: Fri, 15 Jul 2022 14:55:48 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.rfberlin.com/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
* Connection #0 to host rfberlin.com left intact

Note that the proxy works fine for another A record that is www.rfberlin.com. It just doesn’t work for the no-www subdomain (rfberlin.com).

I made a typo in the settings if I turn off proxy. Proxy status should be Off:

Type: A
Name: rfberlin.com
IPv4 address: 77.163.207.211
Proxy status: Off

You should first fix that.

Thanks. My SSL/TLS encryption mode is Full instead of Full (strict). I’ll consider changing that but it’s orthogonal to this problem.

Sure, but let’s fix the security issue first, then we can check out other issues.

Okay I fixed that and the 401 error persists. What would be your next suggestion?

Great, did you also fix the encryption mode?

Was your domain used with a different provider earlier, who may have also used Cloudflare?

Assuming you checked and confirmed that the 401 is not sent by your server, your naked domain is probably stuck with the provider I referred to and you need to get that configuration dropped.

You can contact your previous host for that, but the far easier way will be to follow the instructions posted at Help regarding domain change - #2 by sdayman.

And again, double check that you set Full Strict as well.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.