Err_connection_reset when using cloudflare cdn on nginx with ssl

Hello, I have a website at https://hoomixt.online . the domain is pointed to nginx self signed ssl using a type A record . with cdn / proxy being off, everything works perfectly fine, but when I turn on Cloudflare cdn / proxy, I get err_connection_reset and can’t connect . I did some testing :

• when cdn is off, pinging the domain returns the nginx ip and everything works fine
• when cdn is on, pinging the domain returns Cloudflare ip and the site doesn’t load
  I tried using ‘curl’ on my domain, and it gave me html containing 301 Permanently Moved with cdn on

Here is my nginx config file :

server {
server_name hoomixt.online www.hoomixt.online;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/hoomixt.online/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/hoomixt.online/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.hoomixt.online) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = hoomixt.online) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name hoomixt.online www.hoomixt.online;
return 404; # managed by Certbot
}

any help is appeariated

What are your SSL/TLS settings? Is it flexible or full?

hey sorry for late response I was asleep, it is set to full, tho I haven’t tested it with flexible

another thing that I think I should mention :

as said in the post : “I tried using ‘curl’ on my domain, and it gave me html containing 301 Permanently Moved with cdn on” when I curl the domain with cdn on it returns permanently moved 301, and in the config file in the last lines certbot automaticlly configured it so that it returns 301 in the two if statements. maybe thats the problem ?

Curl does not automatically follow redirects. Have you tried in a web browser? Full should be the correct SSL/TLS setting.

Full is still insecure, the OP should select Full Strict.

yeah I checked in browser as well same result

I will try that, thank you

update: after setting ssl/tls mode to “full strict”, the result was same as above, with cdn off it works fine but with it on it doesn’t . something that I noticed is trying to enter hoomixt.online in my browser redirects me to http://10.10.34.34/ after some time (and not always) . isn’t the problem with my nginx config ?

Can you turn the CDN on so I can test from my browser?

if ($host = www.hoomixt.online) {
    return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = hoomixt.online) {
    return 301 https://$host$request_uri;
}

I’m not sure the point of these since they do not correct anything but they are not breaking anything else either since requesting to the IP and domain work fine.

Done, also I enabled development mode for now
About the last lines of nginx config, it was automatically done by certbot

hoomixt.online works for me on Cloudflare. No issues for www either

Hey I turned cdn off around the time you posted this to test something can you test again ? sorry

It appears to work with Cloudflare enabled.

it doesn’t for me thats wierd, thanks tho

Do you mind showing the results of curl -v https://hoomixt.online/

sure, here it is :

C:\Users\Hoomi>curl -v hoomixt.online
*   Trying 188.114.97.3:80...
* Connected to hoomixt.online (188.114.97.3) port 80 (#0)
> GET / HTTP/1.1
> Host: hoomixt.online
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: http://10.10.34.34
< Content-Type: text/html
< Content-Length: 156
<
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Moved</title>
</head>
<body>
<h1>Redirected</h1>
</body>
</html>
* Connection #0 to host hoomixt.online left intact

something that I noticed :

• it connected using port 80
• in nginx config file the server only listens for 443 port and if as certbot configured if port is 80 it will throw 301 permanently redirected (error shown in curl) so question is why doesn’t it use the port 443 ?

nvm it doesn’t work on port 443 as well

C:\Users\Hoomi>curl -v hoomixt.online:443
*   Trying 188.114.96.3:443...
* Connected to hoomixt.online (188.114.96.3) port 443 (#0)
> GET / HTTP/1.1
> Host: hoomixt.online:443
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: http://10.10.34.34
< Content-Type: text/html
< Content-Length: 156
<
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Moved</title>
</head>
<body>
<h1>Redirected</h1>
</body>
</html>
* Connection #0 to host hoomixt.online left intact

oh wait you wanted https://hoomixt.online/ not hoomixt.online sorry
here :

C:\Users\Hoomi>curl -v https://hoomixt.online/
*   Trying 188.114.96.3:443...
* Connected to hoomixt.online (188.114.96.3) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: failed to receive handshake, SSL/TLS connection failed
* Closing connection 0
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed