Proxy does not work (404)

Ok - so i purchased cheap domain from CF.
and i wanted to setup a proxy for some servers i have .
they are all protected with their own SSL (and should keep that way)

just trying to have a single domain which will encapsulate all their content under one name.
So i have tried everything from SSL (Full strict) to page rules.
but cannot figure this out.
even a simple proxy to www.example.com does not work (Proxied or even just DNS)
any help will be appreciated.

Your ks record is working. The 404 is because you are trying to reach ks.shlomic.work on the server for www.example.com. Since they don’t host your hostname, they are saying “not found”.

Note that a CNAME is not a redirect, it just points at the IP address (in this case, the IP address of www.example.com).

dig +short ks.shlomic.work
www.example.com.
93.184.216.34

If you want to redirect ks to something, let us know and we can explain how.

1 Like

Hi
I’m trying to proxy(not redirect) www.example.com - what do you mean they don’t have ks ? i’m not expecting them to , i’m expecting CF to proxy this website in my address which is ks.shlomic.work

what am i missing here ?

To be more accurate trying to implemented what has been said here by stape.
https://stape.io/solutions/own-cdn

If you expect to show the content of [random third party website] just because you CNAME to it, then that’s what you are missing. That is not what “proxy” means.

You can only CNAME to another hostname, and have it succeed if the server is configured to answer for the hostname entered (in this case ks.shlomic.work) and, if using Cloudflare, either:

  • the target is in the same account, or external to Cloudflare
    or
  • the target is a Cloudflare customer using Cloudflare for SaaS
1 Like

That is exactly what proxy means (at least in the world outside cloudflare)
i use to do that all the time in AWS cloudfront , takes me a minute to set up.
but here i’m struggling,
did you had a chance to look at the stape documentation i sent ? pretty simple steps that support to proxy (mask) the original domain with my own domain.
this is all i need

https://en.wikipedia.org/wiki/Proxy_server

Yes, and it shows that they know the incoming hostname…

Thank you @sjr for trying to help here.
Its probably been long time since i worked with network components like reverse proxy - which is working like you said.
i guess this sentense clears it

The use of “reverse” originates in its counterpart “forward proxy” since the reverse proxy sits closer to the web server and serves only a restricted set of websites.

So my guess is i need a simple proxy like the one i did with NGINX like this

location /track {
    proxy_pass https://host.docker.internal:8090/;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
  }

To be honest - this whole CDN concept , which separate the hosting from the DNS is very confusing, and to be honest i don’t understand it.

According to wikipedia the proxy and web server sits in the same network , when hosting company is involved how is this possible ?

It’s not.

Why Stape is returning a 404 is a question for them. That’s the response their origin server is returning to the request for https://ks.shlomic.work

1 Like

I think its getting more clear for me now - if i run this cur command i get the same response CF returns. meaning the only issue here is the Host name header.
basically when this is done with Nginx this happens automatically - here for some “odd” reason its not , cause Host header is for paying customers only,

curl -v https://www.example.com -H "Host:shlomic.com"

example.com is not using Cloudflare. exmaple.com does. Not that it’s relevant as this is nothing to do with Cloudflare.

When you request a name that has a CNAME record, the host that you requested is passed in the header to the IP address of the target, it does not change the hostname header to that in the CNAME target. This is DNS only, not HTTP. Your curl request is doing the same thing as if you requested shlomic.work in your browser and had a CNAME for it pointing to www.example.com.

If the host server at the IP address for www.example.com is set to answer for the hostname passed in the header, then it will respond with a page. Otherwise it will return an error, depending on the configuration.

None of this is Cloudflare specific, it is just DNS and HTTP protocol basics.

If you want to “masquerade” one of your own domains this way, you can do it (subject to the cross-account Cloudflare CNAME restriction), but you need to configure your origin with the hostnames it will respond to.

Some DNS providers did (may still do) offer a domain masquerading option, but that used an iframe to load the target site inside a page on the requested domain.

Thanks again for the details answer .

  1. i was able to achieve what i wanted with a worker thanks to this https://posthog.com/docs/advanced/proxy/cloudflare

  2. in AWS cloudfront , i do that without even thinking about this , this is why i was struggling. we use to masquerade all our 3rd party vensors domains under our own domain.

  3. regarding iframe domain load - I don’t see this as something wrong , after all the domain owner set this up himself, whats the issue with this ?

  4. you say its DNS and not HTTP - but when the Site menu have Page rules (which are Http level) this confuse the newbie user. So basically CF is DNS proxy and not HTTP proxy , did i get you right ?

Here is exactly the same question - the final answer say it all
if you are not ENT customer you cannot change host header for security reasons.
like ENT customers would not break the law ?
https://community.cloudflare.com/t/cloudflare-doesnt-use-a-host-header-when-pointing-subdomain-through-cname/24635/4?u=shlomi.cohen

It allows you to wrap your website name around anyone’s content.

No, Cloudflare’s DNS does DNS. If you enable the proxy option for the DNS, then the request is routed to Cloudflare (using DNS) and then Cloudflare can receive the HTTP request and act on it as you configure (such as in Page Rules, or Workers, or WAF, or DDoS protection) before passing the query on to the origin.

But as you started, a CNAME on its own does not do all that.

Look at the “Cloudflare Fundamentals” page already posted to understand how all the parts work…

To change the host header, Cloudflare needs to handle the HTTP request. This requires the DNS record to be proxied. Again, it is not done by DNS itself.

Changing the host header is not enabled in rules and workers (for the reasons already stated) apart from Enterprise plan users who are essentially trusted not to do bad things. Enterprise users (such as myself) are known to Cloudflare (unlike other plans) since to even get one you have to interact with the Cloudflare sales channel and pay a large monthly fee.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.