Cloudflare and Strato


#1

Hello to everyone!

I am having some problems with a site hosted on Strato (hosting and domain). I want to use CF but I’ve read a lot of problems that users of Strato have with CF and I also had some problems yesterday.

Is there any magical trick to make them cooperate? Strato says everything is good on their end?

The URL that is currently not available is: https://www.p11-ra.de/ and current error that I get is DNS_PROBE_FINISHED_NXDOMAIN. Yesterday we also tried to move the site to CF and got 404 error but with a different description of error and we reverted the nameservers back to Strato and tried today once more to put the site on CF.

We decided to wait for 24hours and see if the site will start to work. But, if it doesn’t, do you have any idea is it possible to have a Strato site on Cloudflare?


#2

It may not be see: https://serversupportforum.de/forum/dns/60386-strato-wordpress-paket-cloudflare.html

When doing a curl against your origin server bypassing Cloudflare it returns Cloudflare headers. Which sort of makes no sense, but they are clearly doing osomething uh interesting on their end.

curl -Ikv --resolve www.p11-ra.de:443:your.origin.ip.address https://www.p11-ra.de

  • Added www.p11-ra.de:443:your.origin.ip.address to DNS cache
  • Rebuilt URL to: https://www.p11-ra.de/
  • Hostname www.p11-ra.de was found in DNS cache
  • Trying 81.169.145.161…
  • TCP_NODELAY set
  • Connected to www.p11-ra.de (your.origin.ip.address) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /usr/local/etc/openssl/cert.pem
    CApath: /usr/local/etc/openssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=www.p11-ra.de
  • start date: Jun 24 00:00:00 2018 GMT
  • expire date: Jul 24 12:00:00 2019 GMT
  • issuer: C=DE; O=STRATO AG; OU=Domain Validated SSL; CN=STRATO TLS RSA CA
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x7f918680a000)

HEAD / HTTP/1.1
Host: www.p11-ra.de
User-Agent: curl/7.51.0
Accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    < HTTP/2 200
    HTTP/2 200
    < date: Fri, 20 Jul 2018 18:58:55 GMT
    date: Fri, 20 Jul 2018 18:58:55 GMT
    < server: cloudflare
    server: cloudflare
    < content-type: text/html; charset=UTF-8
    content-type: text/html; charset=UTF-8
    < x-powered-by: PHP/5.6.36
    x-powered-by: PHP/5.6.36
    < link: https://www.p11-ra.de/wp-json/; rel=“https://api.w.org/
    link: https://www.p11-ra.de/wp-json/; rel=“https://api.w.org/
    < link: https://www.p11-ra.de/; rel=shortlink
    link: https://www.p11-ra.de/; rel=shortlink
    < cache-control: max-age=0
    cache-control: max-age=0
    < expires: Fri, 20 Jul 2018 18:58:52 GMT
    expires: Fri, 20 Jul 2018 18:58:52 GMT
    < vary: Accept-Encoding
    vary: Accept-Encoding
    < cf-ray: 43d7a966f642beb7-FRA
    cf-ray: 43d7a966f642beb7-FRA
    < set-cookie: __cfduid=d848d8e122c9ac7728a6fb8b8a83061881532113132; expires=Sat, 20-Jul-19 18:58:52 GMT; path=/; domain=.p11-ra.de; HttpOnly
    set-cookie: __cfduid=d848d8e122c9ac7728a6fb8b8a83061881532113132; expires=Sat, 20-Jul-19 18:58:52 GMT; path=/; domain=.p11-ra.de; HttpOnly
    < accept-ranges: none
    accept-ranges: none

<

  • Curl_http_done: called premature == 0
  • Connection #0 to host www.p11-ra.de left intact

Couple of things. Note the SSL cert is Strato so we’re definitely connecting to them. But… see the Cloudflare headers for server, cookie and most interestingly the ray ID? The Ray ID says I am hitting FRA POP in Frankfurt… since I am in Austin, TX USA I should be hitting a DFW POP if my client were initiating a connection to the origin. It looks like Strato is reading external DNS and routing your query to Cloudflare. That causes a loop which causes the prohibited IP address error you see.


#3

Hi, thank you for your help. We had to switch back to Strato NS as this didn’t work and the site needs to be online.

Do you think that maybe we should do a test site on the server and then try to switch to CF? Maybe it is just time that is needed for the change to take place on Strato?

It is interesting that Strato says that it should work and says that everything is OK on their side. And I can see it is not. Can’t find a solution, and we have like 10 sites that we would like to route through CF that are on Strato.


#4

Unfortunately I don’t know anything about their platform. But there is definitely something weird there. If you had a test domain where you could try again perhaps they could debug the cause if you can reproduce the issue (it’s definitely something at the origin).