I am fetching an external resource through the fetch() API in one of my workers. The resource is identified by an IP address – there is no domain for it. The request fails because it’s intercepted by Cloudflare and I get the following error:
Please enable cookies.
Error 1003 Ray ID: 48512b6700dec190 • 2018-12-06 19:30:52 UTC
Direct IP access not allowed
You’ve requested an IP address that is part of the Cloudflare network. A valid Host header must be supplied to reach the desired website.
What can I do?
If you are interested in learning more about Cloudflare, please visit our website.
Cloudflare Ray ID: 48512b6700dec190 • Your IP: 2a06:98c0:3600::103 • Performance & security by Cloudflare
Now, the server is definitely not behind Cloudflare, and I don’t even have a domain for it. I tried to set the Host header with the same IP address, but I get the same response. What is the solution in this case?
This error message is a bit misleading. Workers’ implementation of fetch() does not currently support fetching directly from an IP address at all. We would like to enable this ability at some point in the future, but I can’t promise it by any specific timeline.
If the IP is static, one workaround would be to add an A or AAAA record for that IP address in your zone’s DNS settings. If the IP is likely to change frequently, then this won’t be feasible, and I’m afraid I don’t know of a good solution in that case.
Why would that be the case? You could make a random string, that would have the same possibility of it being found as someone scanning the IP space. In addition one should never trust security by hiding the address. If the IP would be shared there should be no issues (apart maybe possible DDoS troubles…).
Cloudflare has historically never had to serve content from an IP address origin (until 184.108.40.206, at least), so we were able to assume that any HTTP message transiting our systems must have a Host header with a domain name in it. At a minimum we must perform a security review of the consequences before changing that basic assumption. That involves quite a few people, and will take some time.