403 on gRPC connection?

I am receiving a 403 error on my gRPC client when trying to connect to an ssl-protected gRPC server behind the CloudFlare proxy. When I disable the proxy (“grey cloud”), the request goes through fine (except the client rejects the server’s certificate, insecure connections work though).

On my client end, I am using the default gRPC “roots” certificate:

pem_file = resource_string(__name__, "roots.pem")
_creds = grpc.ssl_channel_credentials(pem_file)
_channel = grpc.secure_channel("sub.domain.com:443", _creds)

On the server I have the service running, but it doesn’t receive the connection. Any ideas for why Cloudflare would throw a 403 error for gRPC requests? Note that if I remove the pem file, the same thing happens.

On the cloudflare side, I am using an A record to proxy a domain name to a static IP address (google cloud VM). The VM has the ports open and whatnot for things to work

May I ask does the SSL certificate cover sub.domain.com, if so is it a valid one, and what SSL option have you got selected under SSL/TLS tab at Cloudflare dashboard for your domain (Flexible, Full, Strict …)?

Assuming the sub.domain.com hostname (DNS record) is :orange: at DNS tab when this issue occurs, correct?

Kindly, may I ask you to post a screenshot of this Cloudflare 403 error? (when using :orange: cloud - proxy mode on).

Good, but we both want it to be secure, right? :wink:

The SSL certificate on the server side is between the server and the origin CA (cloudflare). However, the server is not being reached at all. The DNS entry is configured with the “orange cloud”, i.e. it is being proxied through cloudflare. I am using “flexible” mode on the SSL settings with cloudflare.

Here is the full gRPC error output:

<_InactiveRpcError of RPC that terminated with:
	status = StatusCode.PERMISSION_DENIED
	details = "Received http2 header with status: 403"
	debug_error_string = "{"created":"@1629291206.487454000","description":"Received http2 :status header with non-200 OK status","file":"src/core/ext/filters/http/client/http_client_filter.cc","file_line":133,"grpc_message":"Received http2 header with status: 403","grpc_status":7,"value":"403"}"

May I ask you to check for the option gRPC under the → Network tab at Cloudflare dashboard - is it turned on or off?:

Kindly, this should be fixed and setup on Full (Strict) SSL firstly:

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare CA Origin Certificate:

1 Like

amazing, Full mode seemed to do the trick!

1 Like

If you don’t have Strict your site is still broken and insecure. @fritex already said that.

1 Like

sorry for the ambiguity, I set the site to full (strict) :slight_smile:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.