I am trying to setup a proxy to take advantage of the bandwidth alliance between Cloudflare and Oracle for their Object storage service. However, every time I try to access the service I get either “Resource not found” or a 526 error.
If I create a oraclestorage record in my DNS with a CNAME of objectstorage.us-ashburn-1.oraclecloud.com and then enable the SSL proxy, I get a 526 error with Full (Strict) on or “Resource not found” when using Full. If I disable the cloudflare proxy I get the SSL cert for a different oracle domain, specifically “swiftobjectstorage.us-ashburn-1.oraclecloud.com”. If I create an additional record in DNS to have a CNAME of “swiftobjectstorage.us-ashburn-1.oraclecloud.com” the 526 error goes away, likely because that is the default certificate returned by Oracle matches this hostname but none of the requests to that API return anything other than “Resource not found”. My guess is the SNI hostname is missing so it is not routed to the correct services internally on the Oracle side.
I ran dig for both domains and both appear to resolve to the same set of IPs, so it appears they are using SNI to differentiate which service is being accessed. I also used
openssl s_client directly connect to one of those IP’s and I was returned the cert for “swiftobjectstorage.us-ashburn-1.oraclecloud.com” when I did not include the “-servername” flag for “objectstorage.us-ashburn-1.oraclecloud.com” and I was returned the correct cert when I did.
Does Cloudflare the SSL proxy not pass the CNAME being proxied as the servername for SNI to the origin server? My only other guess is since “objectstorage.us-ashburn-1.oraclecloud.com” is a CNAME pointing to “objectstorage.us-ashburn-1.oci.oraclecloud.com” that somehow the CNAME resolution breaks SNI? Is this just not a supported access pattern or is my configuration somehow wrong?