Shopify or any Cloudflare protected sites with Nginx / Openresty reverse proxy

I would like to build a reverse proxy with Openresty(Nginx) for my shopify website, but after I set the .conf file in Openresty and launch the server. It shown the 403 error from Cloudflare. Please let me know how to solve it. Thanks.

The flow : Client > Reverse Proxy > Cloudflare > Real Site

The following is my conf.

location ~ ^/  {
    # proxy_connect_timeout       10;
    # proxy_send_timeout          30;
    # proxy_read_timeout          30;
    proxy_set_header Host;
      proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
       proxy_set_header X-Real-IP  $remote_addr;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 86400;
    proxy_redirect off;

 proxy_pass        $request_uri;
# log_format upstream_logging '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';

# shopify urls
# ------------
location ~ ^/(collections|cart|products|shopify|pages|blogs|checkout|admin)/? {
 proxy_set_header Host;
    client_max_body_size    10m;
    client_body_buffer_size     128k;
    proxy_connect_timeout 90;

Are you absolutely sure that error comes from Cloudflare and not your server?
If so, check your Cloudflare firewall event log.

Did you make sure you set your security level to the minimum? That might be necessary as all requests will come from your proxy and Cloudflare might consider it an attack otherwise.

Overall, I would not recommend to set up a configuration as you’d like to do however.

Yes, I confirm the error is from Cloudflare since the error message clearly status the brand name at the end.

And what does the log say? There is a chance however that this 403 is sent because your proxy does not forward the correct headers, in which case that 403 wouldnt be specific to your site but a generic 403.

But again, I would not recommend that setup.

Thanks, may I know where can I get the references for set the correct headers?

There wont be such a reference. It mostly comes down to the Host header, but basically it should be identical to what your browser sends.

You’ll likely need to remove the Cloudflare related headers since you are forwarding your request to a site using Cloudflare. However, a quick glance at your configuration and it appears you’d be sending the exact same URL to Cloudflare so that would just introduce a loop even without the headers I’d imagine.

From the OP’s description Cloudflare would point to the actual site, just like in a regular scenario. The issue seems to be with the proxy in front of Cloudflare.

Unless Shopify has provided him with the true origin IP and is allowing traffic from his personal proxy’s IP and he’s configured his proxy’s DNS to use that IP then it’s going through Cloudflare. Not aware that Shopify provides that or supports that configuration but that’s a Shopify question I suppose.

I am not sure where Shopify comes in here. My understanding is Cloudflare returns a 403 upon the request which is returned to his own proxy and then proxied on to the actual client. My guess would be this is because of some incorrect headers on his proxy’s side (Host?).

The main question is, does it work without his proxy? @ngkongsum, whats the domain in question?

Actually, how should your setup work at all? For the site to work the domain has to point to Cloudflare, where it can either point to the proxies or to the origin. Anything else would not work. Where and how would your proxy come in, @ngkongsum?

Once again, my advice is to drop that proxy.

This topic was automatically closed after 14 days. New replies are no longer allowed.