Setting Up Segment Analytics CDN Proxy (403 Error)

I am trying to set up a Segment analytics proxy via Cloudflare to serve assets and accept API requests from my own domain. E.g.

Segment’s analytics assets would be served from:
cdn.segment.comsegment-cdn.mydomain.com

Segment API calls would be received through:
api.segment.io/v1segment-api.mydomain.com

There is a guide for AWS cloudfront that uses a distribution in order to proxy requests: Set up a custom domain proxy for Analytics.js | Segment Documentation

I am trying to proxy requests via Cloudflare, and I am receiving a 403 error if I just try and create a cname DNS record for segment-cdn pointing to cdn.segment.com. I am using the orange cloud to proxy requests and hopefully cache responses to serve via Cloudflare’s global CDN. Am I misunderstanding anything here, and how do I get over the 403 error? Segment’s customer support says that they do not do any configuration on their to allow this, it just works.

Any ideas?

1 Like

I’m experiencing this as well with the exact same setup. Segment had some suggestions to remediate if we were using CloudFront such as:

  1. Cache based on selected request headers: None
  2. Origin request policy: None

Obviously these are not applicable to Cloudflare. I’m not seeing any configuration settings that can be adjusted though.

The problem is that the host header is incorrect when the request reaches cdn.segment.com. According to this doc it should be possible to rewrite the host header with a page rule, but the option is not there anymore:

https://support.cloudflare.com/hc/en-us/articles/206652947-Using-Page-Rules-to-rewrite-Host-Headers

Also looked at http request transform to properly set the host header but an error is throw when attempting to save it saying that the host header cannot be set.

The page rule host header change is only available to enterprise customers…

In what way is the Host header wrong?

The Host header will (and should) contain the domain name of the website that you hit to get to that origin.

It’s locked behind Enterprise since, as you can imagine, it would be a very easily abuse-able option.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.