Nginx reverse proxy - 403 cloudflare error

Hi!

I have 2 domains both managed by Cloudflare.

Domain1 (D1) = e-commerce site
Domain2 (D2) = hosts content for domain 1

The content for D1 is fetched via API from D2 and this works fine. The issue I am having is with images which are also on D2 but are fetched using a reverse proxy on D1, the reverse proxy was added to D1’s nginx config;

# Image redirect
proxy_ssl_server_name on;
proxy_ssl_name "D1.com";

location /uploads {
    proxy_pass_header Server;
    proxy_pass https://D2.com/uploads;
}

This has worked great for over 12 months, however last week, (no changes to nginx config or any other configs that I am aware of) images were not being displayed on D1. Upon inspection, the issue is that images fetched using the reverse proxy are getting a 403 forbidden error from cloudflare.

For now, I have had to disable cloudflare for my domains as the D1 is a trading website, and this has fixed the issue, however, I was wondering if anyone would be able to shed some light on this?

The only thing I could think that may have been causing the issue would be with Scrapeshield, however I have checked that this is not turned on.

I tried turning cloudflare back on, but within an hour the issue reappeared.

Thanks

Cloudflare does not generate 403 errors, are you still having the issue? Can you share the names of the actual domains?

When you say you have “disable cloudflare”, is that a pause of cloudflare or a change of the nameservers?

Hi,

thanks for the reply, I tried turning clouflare back on and it is now giving the 403 error again. Yes, I pressed the ‘Pause cloudfare’ button on the Overview page in the cloudfare console which will fix the issue, but is obviously not the solution(!).

Try thecodestore.co.uk (the e-commerce site) - when you go into the category or product pages you will see that the images do not display - they show 403 forbidden error message with cloudflare underneath it…e.g.: https://thecodestore.co.uk/uploads/products/small/5f777fb8c3aabad9c3301b79bcd2d453da3174a4.jpeg

the site that is hosting the image is: https://tcs.yodah.app/uploads/products/small/5f777fb8c3aabad9c3301b79bcd2d453da3174a4.jpeg (which works)

1 Like

Thank you, I’d check for blocked IPs with your hosting provider. The screen shot of the error is really helpful, note that if you’re seeing a black & white 403 Forbidden error page without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server, either a permission rule you have set or an error in the .htaccess rules, Mod_security rules, or IP Deny rules. Make sure that Cloudflare’s IPs aren’t blocked. (Pulled from Community Tip - Fixing Error 403 Forbidden)

Thanks for your reply. Not sure if I am mistaken, but the screenshot shows the text ‘Cloudflare’ below the 403 Forbidden message?

Does this not mean that Cloudflare is returning this 403?

No, if it was a Cloudflare error you’d see a color page with cloudflare branding, not the black & white error message. This error you’re seeing is from your server.

OK, thanks for clarifying this. It still has me rather confused though… The error clearly is something to do with using Cloudflare, because if I use the Cloudflare pause feature everything works again (and Cloudflare is somehow listed at the bottom of the 403 error!).

I have checked my nginx logs for all sites, but there are no mentions of the 403 errors there - which is most odd?

I have checked firewalls but there are no IPs blacklisted.

Obviously not a htaccess issue as it is an nginx web server.

I am fairly stumped at the moment, so if anyone has any further suggestions it would be appreciated, thanks

1 Like

Can you please explain the relation between thecodestore.co.uk and tcs.yodah.app domains? I’m seeing you specify the same URL exactly under the two domains… how is the site hosting the image different from the URL? Are you, like, reverse proxying it?

@cloonan, any chance any of this can be related to the feature that blocks hotlinking? @ash1, can you see and make sure this option is disabled? It’s on the last tab in the dashboard, “Scrape Shield”… the description of the feature says " Note: Hotlink Protection will deny access to requests when the HTTP referer does not include your website domain name (and is not blank).", which sounds promising for a 403 from Cloudflare…

1 Like

Hi @shimi, if you look at the original post it shows the config - yes it is a reverse proxy.

I also checked the scrape shield setting - this is not turned on.

I have another question - I understand cloudflare error pages are normally graphical, and the one i am seeing is black and white text, however, how does the text ‘cloudflare’ end up at the bottom of it?

thanks


EDIT:

After further digging, I have a feeling that the issue is something to do with the SSL certificates. At the moment all sites are set to SSL Full (Strict).

Does anyone know if the SSL cert for D2 needs to have any special config to accept the reverse proxy from D1?

Thanks

OK, finally I think I have found the solution. I believe it was misconfiguration of nginx. I updated it from:

proxy_ssl_name "D1.com";

to

proxy_ssl_name $proxy_host;

and now everything works.

1 Like