Cloudflare Proxy to HAProxy w/ Origin getting 526

It’s giving the origin certificate

All right, a few things.

  1. Do you want the machine to serve only a US audience?
  2. I am really confused about the port. You mentioned 2053 and 443. Which is the publicly used port?

Yes. Only want to serve us… I’m never outside the us.

And it’s complicated. Currently have https on 443. In an effort not to disrupt that while I setup the Cloudflare proxy I made a destination nat rule to forward 443 requests from Cloudflare ips to a second http server on 2053 internally. From the outside the both are in 443. Just depends on the source ip. Right now I have 2053 also open so you can see the http server.

Did that make sense?

Not entirely. What you forward really does not matter for Cloudflare or visitors. So did I get this right, you only use 443 publicly?

As for the US, keep in mind, US visitors could still possibly use non-US PoPs, in which case even US requests would be blocked.

Yes. I’m aware.

And yes. 443 is the only port publicly. I just opened 2053 in case you wanted to hit the origin server directly.

No, I want to connect to where Cloudflare is going to connect. This is 443, right?

Yes. But that’s a different server is my point. If you’re coming from a non Cloudflare ip you’ll get one server. If you’re coming from a Cloudflare ip you’ll get the server that is currently on port 2053.

So if you want to test the server that Cloudflare sees on 443 then you need to hit the ip on 2053

Unless you’re coming from a Cloudflare ip…

Hang on, are you saying that .81 address does not handle the request but forwards the request (on a network level), depending on who sent the request?

Yes. Exactly

Christ, why easy if difficult :smile:

Anyhow, 2053 does not respond right now.

Try now.

Fair enough, now I did get an Origin certificate and the certificate looks all right. Usually I’d say maybe you need the root certificate as well, but with your setup I’d rather go for some issue with the configuration. Try to simplify your setup and once you got it working you can set your relationship status to It’s complicated again :wink:

Of course, we can’t rule out that Cloudflare currently has some validation issue, but it’s still rather unlikely and especially with a rather unorthodox setup as yours, I’d say it’s the setup.

Right now it’s haproxy. Was going to try using an nginx to see if it’s a haproxy issue. I think it’s something with the cipher. Just can’t figure out exactly what

And yeah. It’s a little complicated. Lol

You blocked it again, so it’s a bit difficult :slight_smile:

The connection seemed to work, so I would not assume it’s an SSL issue. My guess would be it’s something about the network forwarding, hence the suggestion to simplify the setup.

Sorry. Disconnected from the firewall so it reverted the change. Forgot to save it. You want me to open again? I’m wondering around on my cell phone.

Just wanted to check if the browser could connect. If it can, it really should not be an SSL issue.

Update. Tried putting the server directly on 443 from ALL sources. Still gives me a 526 from Cloudflare. So no clue what the ■■■■ is going on.