Cloudflare Nginx Authentication Throwing 401 Randomly

First, for the total avoidance of doubt, I am aware that this error is coming from Nginx, which I am using on my server, but I am almost certain that this is a problem within Cloudflare because:

  • My application did not throw these errors when I didn’t use Cloudflare, nothing else has changed.
  • I am seeing no requests hit my server at all
  • When I inspect the request, I am seeing a response from Cloudflare (401 Authentication Nginx, and a username/password pop up). I am not exactly clear what service but it looks like a response from a cache.

Unfortunately, it gets even weirder:

  • The error occurs randomly and stops randomly. It is not persistent. I have tried switching settings in Cloudflare, I have tried turning the cache off (switching to development mode), I have tried restarting my server multiple times…nothing.

  • The response from Cloudflare has a www-authenticate header with a basic realm that is different to my website. The realm is actually for a totally different website that I FTP into and which does use the auth pop up (I have no idea if they use Nginx)…I am slightly concerned about how this is occurring because, clearly, something has retained some state that it shouldn’t have access to. And, even more bizarrely, this appears to be the case with different browsers and using a private browser.

I am not even sure where to start here…the only thing that I have observed is it appears to only occur with requests that hit the Cloudflare cache and have response headers including:

server: cloudflare
status: 401
cf-cache-status: DYNAMIC
www-authenticate: Basic realm=“ftp.server” (not the website that is running my server and whose domain is going in the address bar)

Just to confirm some points above:

I have double-checked different browsers and incognito mode…even when no state is being retained by the browser, I am getting back a different realm in the www-authenticate header. The state is clearly not being saved on my side, it is in the Cloudflare cache.

This occurs when I make the request outside my network. I cannot test this 100% right now but I have requested the site on mobile, same thing is occurring (I have no idea what the response headers look like).

Purging the cache and switching to development mode do not work. I don’t even understand how the above can be possible and this doesn’t fix it…but it appears to be the case.

Either purging the cache doesn’t really purge your cache and/or some state is being retained about my requests.

  1. Are you using basic authentication at all on your site?
  2. Whats the URL?
  3. Do you have a straightforward setup (Cloudflare to your one webserver) or “is it complicated”? :slight_smile:
  1. No.
  2. I would prefer not to say at this point because I am not clear what state is being retained.
  3. Straightforward. The only thing that I can think of that might be unusual is that the site is hosted on my home server.

In this case I can only refer you to support I am afraid.

So you are suggesting that you cannot answer my question because I refuse to risk giving you my username and password to my FTP server…okay?

All the relevant information is above. It is very clear what is happening but without the knowledge of how CloudFlare’s caching works, it is difficult to know why.

What? Show me where I asked you for any user name or any password whatsoever! Futhermore FTP is not even part of the discussion, as that is not handled by Cloudflare anyhow.
Seriously! :roll_eyes:

I am suggesting nobody will be able to help you as you didnt provide any reproducible scenario.

To my knowledge Cloudflare does not cache any 401s, and considering you are not even using them, there shouldnt be anything to cache to begin with and Cloudflare’s caching status is actually pretty clear in this context. The issue is most likely somewhere on your end.

I understand that you don’t think you asked that. But the point, as stated multiple times in my question, is that state about other requests is being stored somewhere (because the www-authenticate header in the response has a different realm). It is, therefore, reasonable to wonder if other state is being stored. I understand this isn’t a risk for you, it is for me.

If you think the issue is on my end, you didn’t read the question. No requests are hitting my server AT ALL. I have looked at the raw response and the server header is cloudflare, and the other headers suggest that the cache is being hit.

The information you posted so far does not suggest that anything is getting cached, the caching status explicitly indicates that the response comes from the origin. I did notice that you said the request doesnt seem to hit your server, but that is only an assumption so far.

Again, without something to reproduce and trace the behaviour you mentioned there is not much that could be said about your issue and it would be best if you opened a support ticket.

Assuming your server is behind a typical home router, that 401 might be from your router. That would also explain why you dont seem to get a request on your server.

This topic was automatically closed after 14 days. New replies are no longer allowed.