I’m trying to export logs from Cloudflare via a worker script, as suggested here, directly to my ELK instance at the Elasticsearch port, but I’m receiving a 403 (Forbidden) status code.
The thing is, the GCP firewall rules are ok (I’m accepting tcp requests from any IP to Elasticsearch’s port), and I can mimic the same fetch request (with the same headers and body) from a node script in my computer and it works, and I don’t have any Cloudflare firewall rules preventing me from making outbound requests to any domain/address, it’s also not a problem with certificates because I’m doing it via HTTP to a development instance before I do it in prodution (via HTTPS).
Can anyone help me with this?
EDIT: I tried creating a separate rule redirecting traffic from a new domain name, unproxied, to my instance’s IP, just for testing because I don’t want to expose my instance’s IP to attackers, and even then trying to PUT to <newdomain>:<ES port> will return 403 to me.
I just found out I can’t fetch direct IPs from worker scripts. How could I work around that without routing through Cloudflare itself? (because I’m trying to send logs to Elasticsearch of everything entering CF)
I do think having either a proxied or unproxied record, something like a random 64 character string for a subdomain would be good if you don’t want the IP being public (although I would advice only allowing inbound traffic from Cloudflare IPs).
Since Workers doesn’t support custom TLS certificates (when accessing unproxied records), you should deploy a LetsEncrypt TLS certificate on your instance. If you don’t deploy at least some SSL/TLS on your instance, the connection between CF and the origin will still be insecure (flexible SSL isn’t secure between your server and CF).
Do you have a reference? I believe you can do this as long as you’re not trying to change the Host header/SNI, but I might be out of the loop.
Anyway, I hope this helps someone out there with the same problem. I could use an nginx container to do the same trick, but a cloud function seemed virtually free for now.