This is our scenario:
Our discourse is running on a separate EC2 instance from our main server. The discourse instance creates its own server certificate using let’s encrypt with the built-in mechanism.
The main server uses the API of the discourse server using its public DN.
The forum is a subdomain of the site, i.e. “forum.[mydomain].com”.
That works just fine.
Now we’ve put the whole site behind Cloudflare.
The forum itself works just fine if accessed through a browser.
However, if the main site tries to reach the Discourse instance using an API call, it now get’s an 403 error.
I’ve already tried all the steps listed here: Using Discourse with Cloudflare: Best Practices - Documentation / Self-Hosting - Discourse Meta including turning off the browser integrity check for forum.[mydomain].com/u/by-external/* but to no avail.
The SSL setting in Cloudflare is set to “Full”. “Full (Strict)” is not used, it would work, too, but causes issues with the fallback error pages if the site is down, so I’d rather keep using “Full” instead.
I have no idea why the API call would fail with 403 and I have no idea how to resolve that issue. For now I’ve turned off the proxy for forum.[mydomain].com as a workaround, which does solve the issue, but of course it means that the Discourse is not cached or protected by Cloudflare.
Any ideas what could be wrong?