Getting 403 when trying to make insecure REST from a worker code

Hey,
When trying to make a Rest call from a worker using fetch I’m getting 403 Forbidden when trying to make an insecure connection (self-signed certificate, IP addresses, etc.)

Is there an option to allow this behavior? I’m looking for the similarity of Nodejs ‘rejectUnauthorized’

Thanks :slight_smile:

Is this Worker deployed or are you using the preview window in the dashboard? Can you access the API using cURL?

Hey Albert
Deployed
I’m able to access the API using curl, with -k flag to ignore the certificate error

I would expect either error code 525 or 526 for SSL issues. Is this Worker running on a custom domain or your workers.dev subdomain? In case of a custom domain, what is your SSL mode set to?

What happens if you send the request over HTTP from the Worker?

It is also possible the API is blocking requests from Cloudflare IP addresses, and that the error has nothing to do with SSL at all. In that case you would have to reach out to the webmaster of the API.

So
Somehow when accessing to an IP address I get the 403 (over both 443 or 80)
I gave it some random DNS name (which mismatches with the certificate) and I do get 526
When accessing over HTTP - it works as expected

I manage the API as well and control its Firewall - it should allow traffic over 443 and 80 from anywhere

The 403 with the IP address is definitely comes from Cloudflare as I don’t see this traffic in my API
When I log the response object from the Worker code I see -
“resp: {"webSocket":null,"url":"https://","redirected":false,"ok":false,"headers":{},"statusText":"Forbidden","status":403,"bodyUsed":false,"body":{"locked":false}}”

Oh, and for this worker I’m using a custom DNS name (managed in Cloudflare of course)
My SSL mode is flexible

But the request should be made by the Worker to this third party API, get the response and then act according to that response
The 403 appears on the Worker logs

The 403 response is to be expected. Direct IP access is not allowed in Workers. You have to create a DNS record pointing to the IP address and fetch that instead.

It is highly recommended that you install a valid SSL certificate on your origin server. You can either get one for free from Let’s Encrypt or use a Cloudflare Origin Certificate (only valid for connections between Cloudflare and your origin server) that you generate in the dashboard.

Once you have installed a valid SSL certificate, make sure your SSL mode is set to “Full (strict)”. “Full” and “Flexible” are not secure and will leave you vulnerable to man-in-the-middle attacks.

1 Like

Got it, so IPs are not supported at all

And thanks for the tip, I’m still testing Cloudflare, of course in production I will use a valid certificate in the origin :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.