A valid Host header must be supplied to reach the desired website


#1

I am fetching an external resource through the fetch() API in one of my workers. The resource is identified by an IP address – there is no domain for it. The request fails because it’s intercepted by Cloudflare and I get the following error:

Please enable cookies.

Error 1003 Ray ID: 48512b6700dec190 • 2018-12-06 19:30:52 UTC

Direct IP access not allowed

What happened?

You’ve requested an IP address that is part of the Cloudflare network. A valid Host header must be supplied to reach the desired website.

What can I do?

If you are interested in learning more about Cloudflare, please visit our website.

Cloudflare Ray ID: 48512b6700dec190 • Your IP: 2a06:98c0:3600::103 • Performance & security by Cloudflare

Now, the server is definitely not behind Cloudflare, and I don’t even have a domain for it. I tried to set the Host header with the same IP address, but I get the same response. What is the solution in this case?


#3

The IP address belongs to a server of mine. I have total control over it.


#5

Hi @rubik,

This error message is a bit misleading. Workers’ implementation of fetch() does not currently support fetching directly from an IP address at all. We would like to enable this ability at some point in the future, but I can’t promise it by any specific timeline.

If the IP is static, one workaround would be to add an A or AAAA record for that IP address in your zone’s DNS settings. If the IP is likely to change frequently, then this won’t be feasible, and I’m afraid I don’t know of a good solution in that case.

Harris


#6

I see.

Unfortunately this IP should be private. If I add those records it will become public knowledge. Is there really nothing else to do?


#7

Can you explain why is this a limitation?

I understand that it makes sense not to do communication without HTTPS, but there are a ton of use-cases where direct IP access is a requirement.


#8

Why would that be the case? You could make a random string, that would have the same possibility of it being found as someone scanning the IP space. In addition one should never trust security by hiding the address. If the IP would be shared there should be no issues (apart maybe possible DDoS troubles…).


#9

Adding to the above, if the IP-range is assigned by RIPE, it will also show the owner of the IP - which is often the case for any type of server, even VPS.


#10

You can also use http://xip.io/


#12

Cloudflare has historically never had to serve content from an IP address origin (until 1.1.1.1, at least), so we were able to assume that any HTTP message transiting our systems must have a Host header with a domain name in it. At a minimum we must perform a security review of the consequences before changing that basic assumption. That involves quite a few people, and will take some time.

Harris


#13

You might be interested in our Argo Tunnel service. It allows you to serve traffic from a server which is not otherwise accessible over the Internet.