Unable to reach the origin service on HTTP

Zero Trust Cloudflare Tunnel
1

My cloudflared host is able to reach my http endpoint when I test it with cURL. However when I try to access the public URL brein.munibshah.com I get following error

“Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared”

My config file has the following settings:

ingress:

  • hostname: brein.munibshah.com
    service: http://192.168.1.210:9880
  • service: http_status:404
    warp-routing:
    enabled: true

I ran a packet capture on my cloudflared host and I can see full TCP handshake between the agent and the server. Not sure if I am missing something basic.

Screenshot 2022-11-20 at 12.40.29 AM
Screenshot 2022-11-20 at 12.40.29 AM2302×480 260 KB

2

What do the cloudflared logs report?

3

One other thing you can check is replicate the request cloudflared is making. From the same server where cloudflared is running, run something like:

curl http://brein.munibshah.com --connect-to::192.168.1.210:9880 --verbose

What do you see there? If it succeeds, check the cloudflared logs as @Cyb3r-Jak3 mentions for further information.

4

curl reports this:

Screenshot 2022-11-21 at 11.11.40 PM
Screenshot 2022-11-21 at 11.11.40 PM1202×990 170 KB

5

Cloudflared logs:

Screenshot 2022-11-21 at 11.15.20 PM
Screenshot 2022-11-21 at 11.15.20 PM2992×274 153 KB

6

I notice your origin returns a 200 if you use cURL to the public hostname:

  ~ curl https://brein.munibshah.com/ -svo /dev/null 2>&1 | grep "< HTTP"
< HTTP/2 200

But if you copy a request from the browser (e.g. Chrome), your origin is failing, causing us to return the 502:

➜  ~ curl 'https://brein.munibshah.com/' \
  -H 'authority: brein.munibshah.com' \
  -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'accept-language: en-GB,en;q=0.9' \
  -H 'sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: document' \
  -H 'sec-fetch-mode: navigate' \
  -H 'sec-fetch-site: none' \
  -H 'sec-fetch-user: ?1' \
  -H 'upgrade-insecure-requests: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \
  --compressed -svo /dev/null 2>&1 | grep "< HTTP"
< HTTP/2 502

Thus, I think your origin isn’t handling requests correctly when headers like a normal browser sets are sent to it. The best thing to do here would be to check your origin server’s logs and configuration to understand why it is failing on these types of requests.

1 Like
7

Thank you Simon, the origin server is a Hikvision DVR. It works on the browser when I try to access it on the local network using an IP address. So I am not sure if it is a header or property which cloudflared adds that the origin server does not like

8

Got it - so you’d need to speak to the company who maintain this server to understand what specifically they do not like about the HTTP request.