Fetch can't access to my GCP Compute instance external IP

Problem

I’m trying to export logs from Cloudflare via a worker script, as suggested here, directly to my ELK instance at the Elasticsearch port, but I’m receiving a 403 (Forbidden) status code.

The thing is, the GCP firewall rules are ok (I’m accepting tcp requests from any IP to Elasticsearch’s port), and I can mimic the same fetch request (with the same headers and body) from a node script in my computer and it works, and I don’t have any Cloudflare firewall rules preventing me from making outbound requests to any domain/address, it’s also not a problem with certificates because I’m doing it via HTTP to a development instance before I do it in prodution (via HTTPS).

Can anyone help me with this?

EDIT: I tried creating a separate rule redirecting traffic from a new domain name, unproxied, to my instance’s IP, just for testing because I don’t want to expose my instance’s IP to attackers, and even then trying to PUT to <newdomain>:<ES port> will return 403 to me.

I just found out I can’t fetch direct IPs from worker scripts. How could I work around that without routing through Cloudflare itself? (because I’m trying to send logs to Elasticsearch of everything entering CF)

Shouldnt creating an unproxied record pointing to that address do the trick?

When I did that I lost my HTTPS connection, could only connect to Kibana via HTTP and I need that encryption…

Can you post the IP address and hostname in question?

Sorry, I can’t, for security reasons.

Just found what you’re referencing.

I do think having either a proxied or unproxied record, something like a random 64 character string for a subdomain would be good if you don’t want the IP being public (although I would advice only allowing inbound traffic from Cloudflare IPs).

Since Workers doesn’t support custom TLS certificates (when accessing unproxied records), you should deploy a LetsEncrypt TLS certificate on your instance. If you don’t deploy at least some SSL/TLS on your instance, the connection between CF and the origin will still be insecure (flexible SSL isn’t secure between your server and CF).


Do you have a reference? I believe you can do this as long as you’re not trying to change the Host header/SNI, but I might be out of the loop.

I worked around this issue with a lambda function that basically proxies the CF logs to my ELK instance.

Do you have a reference? I believe you can do this as long as you’re not trying to change the Host header/SNI, but I might be out of the loop.

I saw it in another post in this forum:

Anyway, I hope this helps someone out there with the same problem. I could use an nginx container to do the same trick, but a cloud function seemed virtually free for now.