DigitalOcean

Report this

What is the reason for this report?
Question

I have setup a reverse proxy on nginx to two apps hosted on the app platform, i'm receiving a 403 from cloudflare

Posted on June 17, 2022
Nginx
DigitalOcean App Platform
cody

By cody

Hi there, I have two apps hosted in app platform, a frontend static app, and an API. I have created a droplet with nginx set with proxy_pass for the / and /api paths, pointed at the app platform apps. I can visit the digital ocean provided URL’s for both apps successfully, but when I try to access through my nginx proxy, I am getting a 403 from Cloudflare

my nginx config:

server {
        server_name dev.experivise.com;
        index index.html;

        location / {
                proxy_pass https://experivise-web-mjiua.ondigitalocean.app;
                #proxy_set_header X-Real-IP $remote_addr;
                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                #proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $host;
                proxy_read_timeout 1m;
        }

        location /api {
                proxy_pass https://experivise-api-fyfnm.ondigitalocean.app;
                #proxy_set_header X-Real-IP $remote_addr;
                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                #proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $host;
                proxy_read_timeout 1m;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/dev.experivise.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/dev.experivise.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = dev.experivise.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name dev.experivise.com;
    return 404; # managed by Certbot


}

If you lookup these addresses with dig or drill, you will see that they all resolve correctly on the internet. When visiting dev.experivise.com, I get the 403 from Cloudflare, and this error in my nginx error log

2022/06/17 06:06:48 [error] 2601#2601: *1 connect() to [2606:4700::6810:f44e]:443 failed (101: Network is unreachable) while connecting to upstream, client: *****, server: dev.experivise.com, request: "GET /index.htm HTTP/1.1", upstream: "https://[2606:4700::6810:f44e]:443/index.htm", host: "dev.experivise.com"

Any help provided would be greatly appreciated. I am not using Cloudflare directly, only my nginx droplet and the App Platform apps. The nginx proxy seems to pass the connections through without an issue, but Cloudflare gives me a 403.

Thanks!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
alexdo
alexdo
December 31, 2025

Heya, @codyshark

That 403 is happening because your proxy is sending the wrong Host/SNI to the upstream.

Right now, you’re doing proxy_set_header Host $host; which makes the request to *.ondigitalocean.app go upstream with Host: dev.experivise.com. Cloudflare (in front of App Platform’s ondigitalocean.app domain) will often reject that with a 403 because it doesn’t match what it expects for that hostname.

Also, your error log shows NGINX trying an IPv6 Cloudflare address (2606:4700::…) and your Droplet doesn’t have IPv6 routing enabled, so the upstream connect fails.

A working pattern is: set Host to the upstream app domain, enable SSL SNI, and tell NGINX not to use IPv6 for DNS resolving.

Example:

resolver 1.1.1.1 8.8.8.8 ipv6=off;

server {
  server_name dev.experivise.com;

  location / {
    proxy_pass https://experivise-web-mjiua.ondigitalocean.app;
    proxy_set_header Host experivise-web-mjiua.ondigitalocean.app;
    proxy_ssl_server_name on;
  }

  location /api/ {
    proxy_pass https://experivise-api-fyfnm.ondigitalocean.app/;
    proxy_set_header Host experivise-api-fyfnm.ondigitalocean.app;
    proxy_ssl_server_name on;
  }

  listen 443 ssl;
  # certbot stuff...
}

After that, nginx -t && systemctl reload nginx. This usually fixes both the Cloudflare 403 (host mismatch) and the “connect() … Network is unreachable” (IPv6 upstream) in one go.

Hope that this helps!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.

© 2026 DigitalOcean, LLC.Sitemap.
Dark mode is coming soon.