Lanie

🚨 Help Needed: #CORS and #Cloudflare Access Issues with #Nextflux + #MiniFlux Setup 🚨

Hi everyone! I’m struggling with a #SelfHosted setup and could really use some advice from the self-hosting community. Lol I've been trying to figure this out for hours with no luck. Here’s my situation:

Setup

  • MiniFlux: Running in #Docker on a #RaspberryPi500 (#Stormux, based on #ArchLinuxARM).
  • Nextflux: Hosted on Cloudflare Pages.
  • Reverse Proxy: #Caddy (installed via AUR).
  • Cloudflare Access: Enabled for security and SSO.
  • Cloudflared: Also installed via AUR.
  • CORS Settings in Cloudflare Access: Configured to allow all origins, methods, and headers.

What’s Working

  • MiniFlux is accessible from my home network after removing restrictive CORS settings in both Caddy and MiniFlux.
  • Nextflux is properly deployed on Cloudflare Pages.

The Problem

Nextflux cannot connect to MiniFlux due to persistent CORS errors and authentication issues with Cloudflare Access. Here are the errors I’m seeing in the browser console:

  • CORS Error:Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' from origin 'https://nextflux.laniecarmelo.tech' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

  • Cloudflare Access Redirection:

    Request redirected to 'https://lifeofararebird.cloudflareaccess.com/cdn-cgi/access/login/rss.laniecarmelo.tech'.

  • Failed to Fetch:

    Failed to fetch: TypeError: Failed to fetch.

    • What I’ve Tried

  • Service Token Authentication:

    • Generated a service token in Cloudflare Access for Nextflux.
    • Added CF-Access-Client-Id and CF-Access-Client-Secret headers in Caddy for rss.laniecarmelo.tech.
    • Updated Cloudflare Access policies to include a bypass rule for this service token.

  • CORS Configuration:

    • Tried permissive settings (Access-Control-Allow-Origin: *) in both Caddy and MiniFlux.
    • Configured Cloudflare Access CORS settings to allow all origins, methods, and headers.

  • Policy Adjustments:

    • Created a bypass policy for my home IP range and public IP.
    • Added an "Allow" policy for authenticated users via email/login methods.

  • Debugging Logs:

    • Checked Cloudflared logs, which show requests being blocked due to missing access tokens (AccessJWTValidator errors).

    • Current State

    Despite these efforts:

    • Requests from Nextflux are still being blocked by Cloudflare Access or failing due to CORS issues.
    • The browser console consistently shows "No 'Access-Control-Allow-Origin' header" errors.

    Goals

  • Allow Nextflux (hosted on Cloudflare Pages) to connect seamlessly to MiniFlux (behind Cloudflare Access).
  • Maintain secure access to MiniFlux for other devices (e.g., my home network or mobile devices).

    • My Environment

    • Raspberry Pi 500 running Arch Linux ARM.
    • Both Caddy and Cloudflared are installed via AUR packages.
    • MiniFlux is running in Docker with the following environment variables:CLOUDFLARE_SERVICE_AUTH_ENABLED=trueCLOUDFLARE_CLIENT_ID=<client-id>CLOUDFLARE_CLIENT_SECRET=<client-secret>

    Relevant Logs

    From cloudflared:

    ERR error="request filtered by middleware handler (AccessJWTValidator) due to: no access token in request"

    From the browser console:

    Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' has been blocked by CORS policy.

    Questions

  • Is there a better way to configure CORS for this setup?
  • Should I be handling authentication differently between Nextflux and MiniFlux?
  • How can I ensure that requests from Nextflux include valid access tokens?

    • Any help or advice would be greatly appreciated! 🙏

    #SelfHosting #Cloudflare #CaddyServer #Docker #RSS #CORS #Linux #ArchLinuxARM #CloudflarePages #tech #technology

    Feb 11, 2025 at 1:48pmWeb
    Show threadOCTADEFeb 11, 2025
    Did you wipe the browser cache? Sometimes the browser (especially Firefox) will cache settings and a connection will be borked even if fixed on the server end. Just a thought since I know nada about NetFlux.

    I do know about CORS troubles from back when I made some web apps. You couldn't pay me to use Cloudflare middleman.
    Show threadLanieFeb 11, 2025
    @octade Yeah I'm seriously thinking about getting rid of it again, but I figured since I was using Cloudflare DNS, I'd use the other services too and make my self-hosted services more secure. I've cleared the cache and tried a private window.
    Show threadOCTADEFeb 11, 2025
    Since I don't want to bother with a shieldwall like Cloudflare or the others, I resort to running things in sandboxes. That can be a bit of a pain to configure, too, but at least I know it is my mistake and not tech support's ...

    It sounds like you are setting up a serious system on that little Pi. I wish I had more time to play with those kind of toys ... it looks like a blast.
    Show threadOCTADEFeb 11, 2025
    Maybe try to test with curl to see if it gets same errors as browser?

    curl -H "CF-Access-Client-Id: {your-client-id}" ...
    -H "CF-Access-Client-Secret: {your-client-secret}" ...
    https://rss.laniecarmelo.tech/v1/me

    Sign in ・ Cloudflare Access

    Show threaddarcmage 🇨🇦 Feb 11, 2025
    @RareBird15 I had the same cors issue with my miniflux+nextflux setup but it was all internal and would work on my desktop, not my laptop. After bashing my head against the wall for a few days, I found https://github.com/bluryar/nuxtflux and it has been working properly ever since.
    Show threadLanieFeb 12, 2025
    @darcmage I'll check this out. I hadn't heard of this one before.