Introduction
When building a Pixiv mirror site or other proxy services, we often use Cloudflare Worker as an edge gateway. However, if you directly call fetch('http://your-server-ip') in a Worker, you may get a strange 403 Forbidden.
What makes it confusing:
- Local tests all pass: direct requests to the server IP through browser or Postman work.
- Firewall fully open: even
Allow Allstill gets blocked. - Response is too fast: Worker logs show only 4ms-10ms.
Root cause: Cloudflare SSRF sandbox policy
A 4ms response usually means the request never left Cloudflare’s data center.
To prevent abuse of Worker infrastructure for SSRF scanning/attacks, Cloudflare applies strict restrictions to Workers requesting raw IP addresses directly. Even without manually enabled WAF rules, this traffic can be blocked at the edge.
Fix: mask the raw IP behind a domain
The key is simple: don’t let Worker see a raw IP target.
1. DNS alias in Gray Cloud mode
This is the cleanest and lowest-cost approach.
- Steps:
- In Cloudflare DNS, add an A record (for example
tunnel.yourdomain.com). - Point it to your server IP.
- Critical: set the cloud icon to gray (DNS Only).
- In Cloudflare DNS, add an A record (for example
- Why it works: Worker sees a domain instead of a raw IP, so normal DNS resolution flow applies and IP-target SSRF rules are avoided.
2. Update Worker code
In Worker code, use this new domain instead of the raw IP, and clean request headers as needed.
Summary
If your proxy request returns 403 in just a few milliseconds, check Cloudflare Worker’s egress policy first—not your origin firewall.
- Raw IP = suspicious pattern = blocked
- Domain (Gray Cloud) = normal traffic = allowed
This behavior is easy to miss in documentation, but in practice it is a common edge-computing gotcha.