Server Behind NAT Can't be Access whith Cloudflare Proxy Protected?

I have a server that serves multiple websites, the server is behind the NAT, so I set port forwarder on the gateway. It works fine till I set up Cloudflare and proxy the DNS records for this public IP.

I’m not sure how to address this issue, anyone can share a light?

NAT is usually used to forward TCP/UDP packets, while HTTP is built on top of TCP, it is likely going to give issues especially if SSL is used.
If you need to forward HTTP connections use proper software such as NGINX or HAPROXY.

Which port have exposed on the outside (on the public IP side)? Internally no one actually cares.

No it’s not. There may be security implications if you decrypt the traffic and pass it unencrypted over the local network, though.

PS: this post isn’t in the correct category, this is for the Cloudflare Access product, which is different. You should move it to #general or #setup.

1 Like

Thanks, I changed to General.

The ports opened for public is 80 and 443. So I think that can’t be the root cause.

What’s more, if I setup a reverse proxy, the proxy will still sit behind the gateway, so I think it won’t solve the problem.

Yeah, that should work. If the public IP is IPv4, do you have firewall, port forwarding and DNS entry in Cloudflare all to that IP (and the same if it’s IPv6)? No rate limits, or blocks? The public port 80 goes to the HTTP port at the web server and port 443 goes to the HTTPS port? Do you have redirects from one to the other in the web server? What error does Cloudflare show?

That won’t solve anything, yeah.

I got:

The page isn’t redirecting properly

An error occurred during a connection to xxx.com

    This problem can sometimes be caused by disabling or refusing to accept cookies.

The firewall rule on the server is empty. Server is using vaild SSL cert.

Both 443 and 80 are standard ports, so no port forwarding is needed on Cloudflare I believe.

Can you actually screenshot the page? Remove everything that you don’t want shared…

Ok, I boot a sandbox under Win10 to make sure I’m in a clean environment and having the same issue.

The server is running Synology DSM, I’ve also submitted a support ticket to them, hopefully they can assist me with the logs and find out the problem.

It’s pretty helpful to use a command line curl -I https://example.com (your domain) and watch the redirects to see why. It’ll show you a 301, then a “Location” so I try another curl with the new location, and so on until I see what the redirect loop is.

No, that doesn’t help:

[I] ❯ 27 ❯❯ ⌘ ✔ ❯ curl -I https://trouble.com                                                                                                                 HTTP/2 301
date: Thu, 05 Aug 2021 03:57:24 GMT
content-type: text/html
location: https://trouble.com/
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=v7hc9ScavqFloDt5UQjEGW0%2B1%2F6e%2BGorl1M8%2FVYSZUC7GCh%2BP23mOyw2q4gEqs%2BCwHEktyd45rBEqraijEgQZjJEvJLSxA0o%2FZ%2Fit4JpllpRTIllIMGKNcVwIkPRrrvpSw%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 679d19e43c43ee9a-AKL
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400

[I] ❯ 28 ❯❯ ⌘ ✔ ❯ curl  https://trouble.com                                                                                                                      
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

That was quite informative. It redirects to itself, but with a slash at the end. So now you need to curl -I to the what it says in the “location” header (which has a slash at the end).

curl -I https://trouble.com/

It’s returning the same result :confused::

[I] ❯ 10 ❯❯ ⌘ ✔ ❯ curl -I https://trouble.com/                                                                  
HTTP/2 301
date: Thu, 05 Aug 2021 10:00:18 GMT
content-type: text/html
location: https://trouble.com/
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1MpZ6CI95ORzYG4EZ8JGKSk0XSz3aSOu2G8nUfkyF%2FqGVlY%2BTmHZUkYVOQ8QSGEuMHN1fODRxBPMebpnjhlGKyrcrAn%2Fj2ltML0JcO0EhYGyfwUYyDAYnRiidoZNAHBYtQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 679f2d7c4fc7ee9e-AKL
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400

Ok, so it’s established exactly what redirects to itself.

What’s your SSL setting in the Cloudflare dashboard? It should be Full (Strict).

1 Like

I’m using Flexible at the moment, but I already tried other options.


With that out of the way, I am pretty sure your domain is redirecting to HTTPS, which will never work as you are technically already on HTTPS. Can you try setting Full and, ideally if you have (or can get) a valid certificate on the server, Full (Strict)? Redirects on the server should be mostly disabled with Cloudflare.

2 Likes

The problem has been fixed. I installed valid SSL on the server side and rebooted the web service, then enabled Full on Cloudflare.
Thank you all for the help.

Full is not sufficient. Please use Full (strict).

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.