Tunnel 403 Error

I’ve been trying to make Cloudflare Tunnel work on my home network for a while now but no matter what I do all I get is a plain white page that says

403 Forbidden
cloudflare-nginx

As far as I can tell, cloudflared is installed correctly (CentOS 7 x64) and shows up healthy in my dashboard. I also have access working correctly, as it doesn’t give me the 403 until after I log in. I feel like I’ve been through every possible screen, turned off and on firewall settings and whatnot. There’s no firewall between the tunnel server and the box running the service I want to make accessible. And I can’t find anything in the logs (either on my cloudflared box or in the Zero Trust dashboard). I would greatly appreciate any ideas/suggestions on things to check/double-check. Thanks in advance!

Hi there,

This sounds odd!

Are you able to share the domain that reproduces the problem, and/or Ray IDs (cf-ray header) of reproducing requests?

Hi,

The domain is chrisadmin DOT com (sorry, I guess I haven’t been around long enough to be allowed to post links) and the ray headers for two different applications are:

cf-ray: 7a54b14cc90e43ee-EWR
cf-ray: 7a54b34ec8ab3342-EWR

Thanks,
Chris M

I also get this error.

The same cloudflared configuration was working fine few months ago. But after cloudflared updates few months ago I am getting this error as well.

All I see people saying that it isn’t generated by cloudflared, but it sure affected by cloudflared.

We’ve also been seeing 403 errors across the board in our org since Thursday of last week for Access Applications, when everything was running just fine prior. We have an urgent ticket in, but haven’t heard any updates since.

Oddly, it seems to only affect Chrome and Safari: Firefox functions as expected and without issue.

Same here, I have previously running tunnel which failed once I updated the ingress rules. I tried:

  • re-creating the whole thing
  • changing protocol (http2, quic, etc)
  • lowering
  • enabling caching dev mode
  • setting Security Level to Essentially Off
  • disabling Browser Integrity Check
  • added a “everyone/bypass” access rule
  • rollback to version down to 2022.10.x

The tunnel is used inside a kubernetes cluster so I also tried:

  • routing directly to the pod
  • routing to the service (non tls)
  • routing to ingress controller with internal tls (no verify)
  • routing to ingress controller with cloudflared origin tls

Enabling debug / trace logs doesn’t give much more info, the request just never seems to get to the cloudflared process.

I can’t get any extra info with the cf-ray (there are no events logs in the Security => Events view or in the “argo control panel”. So I really can’t figure out where the 403 comes from.

Good thing this is just for self-hosted, wouldn’t want this happen on production server.

So little update, if that changes anything, I’ve “solved” my problem by using a another zone / domain I own. I went through all my zone setting to make sure what’s the difference and I can’t figure out what’s the issue yet…