Origin Connection Issue with Kubernetes Ingress

Website, Application, Performance Spectrum
1

What is the name of the domain?

https://bhairava.24hrsshipping.com/

What is the error number?

Direct connections to origin with proper Host header work perfectly Cloudflare proxy appears unable to establish connection with origin NGINX Ingress access logs show 200 responses for direct connections No Cloudflare requests appear in NGINX logs

What is the error message?

Site can’t be reached

What is the issue you’re encountering

Cannot access my Kubernetes Dashboard through Cloudflare proxy, receiving “Unable to connect” error in browser. However, direct access to the origin works when using proper host headers.

What steps have you taken to resolve the issue?

DNS Resolution: Now correctly points to origin server (129.154.43.185)
Origin Server Connectivity:
Direct curl to IP with Host header returns 200 status and correct content
Access logs confirm requests reaching ingress controller successfully
Certificate Configuration:
Created and installed Cloudflare Origin Certificate in Kubernetes
NGINX Ingress controller configured with TLS using this certificate
SSL Settings:
Tried both Full and Flexible SSL modes in Cloudflare

What are the steps to reproduce the issue?

Test with HOST header (should work)
curl -k -v -H “Host: bhairava.24hrsshipping.comhttps://129.154.43.185

  • Trying 129.154.43.185:443…
  • Connected to 129.154.43.185 (129.154.43.185) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
  • start date: Mar 9 06:02:25 2025 GMT
  • expire date: Mar 9 06:02:25 2026 GMT
  • issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
  • SSL certificate verify result: self-signed certificate (18), continuing anyway.
  • Using HTTP2, server supports multiplexing
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • Using Stream ID: 1 (easy handle 0xb50e2fb64800)
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):

GET / HTTP/2
Host: bhairava.24hrsshipping.com
user-agent: curl/7.81.0
accept: /

  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
  • TLSv1.2 (OUT), TLS header, Supplemental data (23):
  • TLSv1.2 (IN), TLS header, Supplemental data (23):
    < HTTP/2 200
    < date: Sun, 09 Mar 2025 07:58:59 GMT
    < content-type: text/html; charset=utf-8
    < content-length: 2442
    < accept-ranges: bytes
    < cache-control: no-cache, no-store, must-revalidate
    < last-modified: Tue, 25 Feb 2025 15:23:58 GMT
    < x-kong-upstream-latency: 0
    < x-kong-proxy-latency: 1
    < via: 1.1 kong/3.8.0
    < x-kong-request-id: ff5b3d140029a057dac02469d55e853a
    < strict-transport-security: max-age=31536000; includeSubDomains
    <
2

Does not work for me. Do you test from within the same network?

5

That did not answer my question.

1 Like
6

kubectl run -it --rm test-curl --image=curlimages/curl -n default –
curl -vk https://kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local:443

If you don’t see a command prompt, try pressing enter.
E0310 04:04:22.351636 2424878 v3.go:79] EOF
warning: couldn’t attach to pod/test-curl, falling back to streaming logs: Internal error occurred: error attaching to container: failed to load task: no running task found: task 109ee0cb1ab856dedc3ced6fd19f4f59e649d664bef39bdeb1e11ded9f43e4b0 not found: not found
E0310 04:04:22.352333 2424878 v3.go:79] EOF

  • Host kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local:443 was resolved.
  • IPv6: (none)
  • IPv4: 10.96.103.37
  • Trying 10.96.103.37:443…
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
  • ALPN: server accepted h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
  • start date: Mar 9 06:08:57 2025 GMT
  • expire date: Mar 4 06:08:57 2045 GMT
  • issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
  • SSL certificate verify result: self-signed certificate (18), continuing anyway.
  • Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
  • Connected to kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local (10.96.103.37) port 443
  • using HTTP/2
  • [HTTP/2] [1] OPENED stream for https://kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local:443/
  • [HTTP/2] [1] [:method: GET]
  • [HTTP/2] [1] [:scheme: https]
  • [HTTP/2] [1] [:authority: kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local]
  • [HTTP/2] [1] [:path: /]
  • [HTTP/2] [1] [user-agent: curl/8.12.1]
  • [HTTP/2] [1] [accept: /]

GET / HTTP/2
Host: kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local
User-Agent: curl/8.12.1
Accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • Request completely sent off
    < HTTP/2 200
    < content-type: text/html; charset=utf-8
    < content-length: 2442
    < accept-ranges: bytes
    < cache-control: no-cache, no-store, must-revalidate
    < last-modified: Tue, 25 Feb 2025 15:23:58 GMT
    < date: Mon, 10 Mar 2025 04:04:22 GMT
    < server: kong/3.8.0
    < x-kong-upstream-latency: 1
    < x-kong-proxy-latency: 1
    < via: 1.1 kong/3.8.0
    < x-kong-request-id: 01d58c4a7a6b9a27e49a68014d2bb822
    <