Cloudflare workers - HTTPS error - Trying to proxy external websites

I want to proxy requests to my domain name to an external server.

curl -i https://DOMAIN_NAME/v2/history/get_actions?account=eosio&filter=eosio:bidname
[1] 2450
bash-3.2$ curl: (51) SSL: no alternative certificate subject name matches target host name ‘DOMAIN_NAME’

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

/**
 * Fetch and log a request
 * @param {Request} request
 */

async function handleRequest(request) {
  console.log('Got request', request)
  
  var target_url = request.url;
  target_url=target_url.replace("DOMAIN_NAME", "NEW_DOMAIN_NAME");
  console.log(target_url);
  console.log(request);
  const response = await fetch(new Request(target_url, {
      method: request.method,
      headers: request.headers,
      referrer: request.referrer,
      referrerPolicy: request.referrerPolicy,
    }))

 console.log('Got response', response)
 return response;
}

When I request for a non https domain name, it works. When I try an https URL it comes up with an error each time.

I expect this error to be due to the fact that the Host header is set to your CF domain (the one where the Worker runs), which will fail to pass at SSL validation, since the cert is for the other domain. You would need to have this domain on the cert as well.

Thanks @matteo, I don’t control the other domain.

Is there a way to get the raw data from the other website and send the data back? Essentially proxying the request?

No, there isn’t, because if that worked you could basically proxy every website. It’s a security imposed limit.

Thanks @matteo your responses are very helpful and very quick.

Why would there be a security limit on proxying these calls? The idea is to proxy the requests to hide end user IP addresses to the service. The request will be served by our servers inturn with the Cloudflare SSL certificates already in place.

Because if you could either accept all SSL certs or vary your Host header you could proxy Google, Facebook, etc. making the best phishing website ever.

If they are your servers then install a CF Origin Certificate, which is free.

It sounds like what you’re really trying to do, hide the client’s IP address, could be done more easily with either:

  1. An iptables -t NAT ... rule on the Linux servers of your service
  2. Tor / other proxy

There’s absolutely no need to break the security provided by TLS in order to change the source IP address.

In this instance, it is just an API call for data. We can’t install CF origin certificate as it is not our server.

  1. We get the requests to our website (Cloudflare proxy)
  2. It replays the same requests to the destination to get the raw data (proxy)
  3. The data is sent back to the person requesting.

The user knows they are connecting to our website (not actual destination). Their connection is secured between their device and Cloudflare.

Apologies, I can’t see what the security issue is. We could do this in a simple node server.

I believe you, but Cloudflare doesn’t know that. It could be any service.

You could try, but I am not sure it will work, is set SSL to Full, not Strict if it’s not already for that path/subdomain. It may work, but not really sure.

For sure, but it would be a single server or a specific IP, Google, etc. will block you immediately. They wouldn’t be able to block Cloudflare as a whole.