Using nginx reverse proxy to access a Cloudflare-protected website

#1

Hello!
I have a private server with a static IP running nginx, which acts as a reverse proxy for a website that I do not own. (Note: I have permission from the site’s owners to do this.) The purpose of this reverse proxy is to provide me an easy way to access this site from the server’s private IP address, particularly on systems and devices where I wouldn’t be able to perform any advanced configuration; since it’s a reverse proxy, all I need is a web browser and the reverse proxy’s URL. No one else uses the reverse proxy other than me.

This website uses Cloudflare DDOS protection. Up until recently I had no issues accessing the site, but now it’s started to show Cloudflare’s “Checking your browser before accessing…” page, and when I access the page from my reverse proxy it fails the check and gets into an endless loop of redirections. I’m still relatively new to nginx but I’m wondering if there’s anything I can do to allow my reverse proxy to pass Cloudflare’s check so that I can continue accessing the site this way.

Here is the relevant part of the nginx server configuration in case it helps, with any private information redacted:

server {
    listen XYZ;

    location / {
        proxy_set_header Referer "https://target.website";
        proxy_pass https://target.website/;
        proxy_redirect https://target.website https://$host:$server_port;
        proxy_set_header Accept-Encoding "";
        sub_filter_once off;
        sub_filter 'https://$proxy_host' 'https://$host:$server_port';
    }
}

Any help would be greatly appreciated!

0 Likes

#2

Your reverse proxy is sending requests on behalf of many other users. Form the CF side this is like an automated attack if your proxy sends more than a threshold requests (You didn’t had problem before because there was a few requests).

Solution: You need to whitelist your Reverse proxy IP address in CF panel.

0 Likes

#3

I should have mentioned in my original post (and have edited it to mention) that I am the only one using the reverse proxy, so it’s not sending any more requests to this website than would be typical of a single visitor.

Unfortunately I asked the site’s admins if they would be able to whitelist my server’s IP address in their cloudflare settings, and they said they weren’t able to do that. So I’m hoping there’s another solution I can use in the reverse proxy itself.

0 Likes

#4

It doesn’t matter. Anyway your server is sending too much requests and CF recognized your requests suspicious and asking you (your reverse proxy) to prove that you are a legitimate user (Browser integrity check). You need to ask the website owner to disable it or whitelist your IP.

0 Likes

#5

As I mentioned, whitelisting my IP is unfortunately not possible.

Is there anyway at all to pass the browser integrity check while using the reverse proxy? I’m still accessing the website in a web browser and executing its scripts in that context.

0 Likes

#6

Chrome WebDriver + Selenium or other ways of mimicking a real browser. Even in case you can bypass the check it needs too much resource and worthless in case of a reverse proxy (works line PoW in Bitcoin).

0 Likes

#7

I don’t understand how browser automation tools would help here. I’m accessing this site with a real browser. I’m just doing it through the reverse proxy. I can see how something like Selenium would help if I were trying write a script or bot to access this site but that’s not what I’m doing. I just want to be able to access it normally through a web browser, but do so through the web proxy so that I’m accessing the site through a single static IP.

0 Likes

#8

This means (from CF point of view) you are not making the request. It is the reverse proxy that makes the request to CF network and in your case CF has recognized your reverse proxy as bad browser since it cannot pass the java-script challenge.

No matter from what browser you make the request as long as reverse proxy is middling the request, to CF, reverse proxy is the client which in your case is not a real browser.

Q.E.D

0 Likes

archived #9
0 Likes

closed #10
0 Likes