CORS preflight: Redirect is not allowed

Hey!

TL;DR:
How can I sign a preflight response created in a worker script with my responder URL?

Full explanation:

I have a problem figuring out how to deal with preflight requests on a DNS which is registered using Cloudflare.

Here is my setup:

This setup works for me.

Now I want to access an API from my website (https://www.example.com/):

I have tried to create an “A record” DNS entry which redirects this API to myIPv4 as well, in addition to a web worker which should handle the preflight request for CORS.
My problem is that I get a “Redirect is not allowed […]” since the responder of that message is the IPv4 of Cloudflare and not my https://api.example.com/ call.

Is there a way to hide my servers IP behind a Cloudflare DNS and handling preflight requests which do not redirect?

I am sure I left out important details, but as I am pretty new to Cloudflare and CORS, I would appreciate every follow-up question or suggestion on what I could try next.

Thanks for your read and I hope that you can help me!

Make sure you are entering api.example.com:8080 In the client/browser, CF doesn’t automatically proxy the different port request. Although this is possible with the Cloudflare app “portzilla” or via CF workers.

Thanks for the respond!
That’s what I am doing: I try to make a send a POST request to api.example.com:8080/requestData/ which requests a Content Type. This works if I use the IP directly however gets blocked due to the above mentioned CORS issue.

Any other ideas?

In general, redirects with CORS are going to cause trouble. Different user agents behave differently. If the target of a redirect requires preflight, then the redirect will fail.

Can you clear up my confusion (some of which is because you are using phrases like proxy and redirect to mean something else):

That is pretty normal.

This is unclear. “Flexible” is a feature which allows you to only have HTTP on the origin, and Cloudflare will proxy HTTPS requests for https://www.example.com to HTTP on your origin. Are you just saying that you have a page rule on www.example.com/* to set SSL to Flexible, or do you have a Forwarding page rule also to do a redirect?

Do you have an A record for www.example.com? If the record :orange:?

Do you have any forwarding page rules in place? Are you using Always Use HTTPS either on the SSL/TLS app or in a page rule?

Okay, I have the following A DNS Records:

  1. example.com -> myIP
  2. api.example.com (listed only as “api”) -> myIP

Regarding the SSL Flexible setup, I have two page-rules::

  1. One which makes a permanent redirect of example.com/* to https://www.example.com/$1
  2. One which sets .example.com/ to SSL to flexible

Regarding the www DNS entry, I don’t have something there.

I also enabled Flexible SSL under the Crypto tag in addition to the page rule.

Thanks again for replying and sorry for the late response!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.