Error 1002 using nginx proxy_pass

I have a Cloudflare dns proxied A record… mything.blah.xyz

It is pointing to an nginx instance that is doing a proxy_pass to a Cloudflare non-proxied CNAME record… myappcname.blah.xyz.
The CNAME points to myappgateway.blah.xyz.

If I try to do…
curl https://mything.blah.xyz/someapirequest -H "Head: myappcname.blah.xyz:9999"
… I get error 1002: DNS points to prohibited IP.

If I change my proxy_pass to use some other header than Head, this works. e.g.:
curl https://mything.blah.xyz/someapirequest -H "Gwy: myappcname.blah.xyz:9999"

Is this expected behaviour?

If I really had to use Head as the header name, what would I need to change?
Move either mything.blah.xyz or myappcname.blah.xyz to a different domain?

Could you please share the real domain name so we can take a look?

Hi Albert,

Too many things happening at once… I mean Host for the header name above, not Head.

So sorry about that! You can probably explain it now.

The real domain is tbird.xyz.
So traffic sent to pit510-cloudintegrationproxy.tbird.xyz is proxied to any of a number of cnames (e.g.: ring0-cinema-api.pit.tbird.xyz) all pointing to an azure app gateway agw-au1-pit-ring0-int.tbird.xyz.

and the app gateway is running on a non-standard https port… 4433 or 4443 typically.

I am not quite sure I understand the request flow. Could you please elaborate a bit?

So, if I send a request to https://pit510-cloudintegrationproxy.tbird.xyz, your origin returns a 403 Forbidden response. I assume this is because my request is not authorized?

$ curl https://pit510-cloudintegrationproxy.tbird.xyz   
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.23.4</center>
</body>
</html>

For an authorized request, where does NGINX proxy_pass the request?

Hi Albert,

Only a few Ips are currently allowlisted which is why you are getting forbidden.

Essentially, if I set the nginx proxy_pass to use a request header called agw, set to a backend app gateway host and port, everything works as expected.

curl -k https://pit510-cloudintegrationproxy.tbird.xyz/servicehost/api/v1/services/list -H "Agw: ring0-cinema-api.pit.tbird.xyz:4443" :heavy_check_mark:

If I change the proxy_pass to use the host request header, the curl command will return a 1002 error.

curl -k https://pit510-cloudintegrationproxy.tbird.xyz/servicehost/api/v1/services/list -H "Host: ring0-cinema-api.pit.tbird.xyz:4443" :x:

As I said, the backend app gateway here (ring0-cinema-api.pit.tbird.xyz) is a CNAME (in Cloudflare).

It points to an A record in Cloudflare.

I just wanted confirmation that this is expected behaviour.

Then I can confirm to architecture that we cannot use Host as our request header in this case.

If you can explain why the 1002 happens that would be really appreciated, too.

Kind regards,

Phil

This domain is proxied through Cloudflare. Cloudflare uses the Host header to determine where to send the request. This is called virtual hosting and is how Cloudflare can have many websites on the same IP address.

Since you are changing the Host header, Cloudflare will think the request URL is https://ring0-cinema-api.pit.tbird.xyz:4443.

ring0-cinema-api.pit.tbird.xyz resolves to a local IP address, which Cloudflare cannot send the request to.

$ dig +noall +answer ring0-cinema-api.pit.tbird.xyz 
ring0-cinema-api.pit.tbird.xyz.	294 IN	CNAME	agw-au1-pit-ring0-int.tbird.xyz.
agw-au1-pit-ring0-int.tbird.xyz. 294 IN	A	10.30.20.4

This causes Cloudflare to throw error 1002 “Domain points to a local IP address”.

Hi Albert,

Thanks very much for the clear explanation.

I can pass that on to the developers and tell them to leave the Host header alone now. :slightly_smiling_face:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.