Error 1002 using nginx proxy_pass

I have a Cloudflare dns proxied A record…

It is pointing to an nginx instance that is doing a proxy_pass to a Cloudflare non-proxied CNAME record…
The CNAME points to

If I try to do…
curl -H "Head:"
… I get error 1002: DNS points to prohibited IP.

If I change my proxy_pass to use some other header than Head, this works. e.g.:
curl -H "Gwy:"

Is this expected behaviour?

If I really had to use Head as the header name, what would I need to change?
Move either or to a different domain?

Could you please share the real domain name so we can take a look?

Hi Albert,

Too many things happening at once… I mean Host for the header name above, not Head.

So sorry about that! You can probably explain it now.

The real domain is
So traffic sent to is proxied to any of a number of cnames (e.g.: all pointing to an azure app gateway

and the app gateway is running on a non-standard https port… 4433 or 4443 typically.

I am not quite sure I understand the request flow. Could you please elaborate a bit?

So, if I send a request to, your origin returns a 403 Forbidden response. I assume this is because my request is not authorized?

$ curl   
<head><title>403 Forbidden</title></head>
<center><h1>403 Forbidden</h1></center>

For an authorized request, where does NGINX proxy_pass the request?

Hi Albert,

Only a few Ips are currently allowlisted which is why you are getting forbidden.

Essentially, if I set the nginx proxy_pass to use a request header called agw, set to a backend app gateway host and port, everything works as expected.

curl -k -H "Agw:" :heavy_check_mark:

If I change the proxy_pass to use the host request header, the curl command will return a 1002 error.

curl -k -H "Host:" :x:

As I said, the backend app gateway here ( is a CNAME (in Cloudflare).

It points to an A record in Cloudflare.

I just wanted confirmation that this is expected behaviour.

Then I can confirm to architecture that we cannot use Host as our request header in this case.

If you can explain why the 1002 happens that would be really appreciated, too.

Kind regards,


This domain is proxied through Cloudflare. Cloudflare uses the Host header to determine where to send the request. This is called virtual hosting and is how Cloudflare can have many websites on the same IP address.

Since you are changing the Host header, Cloudflare will think the request URL is resolves to a local IP address, which Cloudflare cannot send the request to.

$ dig +noall +answer	294 IN	CNAME 294 IN	A

This causes Cloudflare to throw error 1002 “Domain points to a local IP address”.

Hi Albert,

Thanks very much for the clear explanation.

I can pass that on to the developers and tell them to leave the Host header alone now. :slightly_smiling_face:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.