HTTP proxy through load balancer

Hello there :slight_smile:

I am setting up a forward proxy for our infrastructure to have fixed outgoing ip addresses.

The project should be highly available so i thought about running it through a CF load balancer to 3 dedicated servers.

The proxy is working when I access one of them directly but when I want to run it through cloudflare with proxy enabled and pointing to a LB i always get a 400 error:


❯ curl --proxy "https://out.example.com:8443" https://ifconfig.io -v
* Host out.example.com:8443 was resolved.
* IPv6: 2606:4700:10::6816:26dd, 2606:4700:10::ac43:17d3, 2606:4700:10::6816:27dd
* IPv4: 104.22.39.221, 104.22.38.221, 172.67.23.211
*   Trying 104.22.39.221:8443...
* Connected to out.example.com (104.22.39.221) port 8443
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted http/1.1
* Proxy certificate:
*  subject: CN=example.com
*  start date: Dec 28 05:20:25 2023 GMT
*  expire date: Mar 27 05:20:24 2024 GMT
*  subjectAltName: host "out.example.com" matched cert's "*.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to ifconfig.io:443
> CONNECT ifconfig.io:443 HTTP/1.1
> Host: ifconfig.io:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 400 Bad Request
< Server: cloudflare
< Date: Mon, 22 Jan 2024 10:09:36 GMT
< Content-Type: text/html
< Content-Length: 155
< Connection: close
< CF-RAY: -
<
* CONNECT tunnel failed, response 400
* Closing connection
* TLSv1.3 (OUT), TLS alert, close notify (256):
* TLSv1.3 (IN), TLS alert, close notify (256):
curl: (56) CONNECT tunnel failed, response 400

The setup is like that:

CNAME with proxied=true > LB > 3 servers

Any idea why this is not working?
Is CF actively blocking these kind of requests (CONNECT method maybe) or should that work and it is a configuration error?

If that won’t work do you have any ideas what I could do instead?

Thank you

Forgot to mention that I cannot see anything about the requests to the CNAME in the cloudflare logs or anywhere else inside my cloudflare account.

Nothing?