Unable to determine Passkey issues behind Cloudflare Proxy

UPDATE: Solved!

To resolve the issue I was able to enable force_https which got this all resolved for us. Turns out passkeys were trying to route to http:// but that mixed traffic wasn’t getting flagged by the browser. As it turns out CloudFlare wasn’t directly the issue at all. Hope this can help someone else out in the future.

Original Post:

The Issue

Hello! I recently moved my Discourse instance behind a Cloudflare tunnel, and it seems that all is working well with the exception of passkeys. Both existing and new passkey enrollments fail, but I don’t think the logs are making it very clear as to WHY it’s failing. Hoping someone here may be able to help me find the rest of the troubleshooting info I need to resolve this:

Relevant information

About my Setup

  • Using Discourse Docker to deploy Discourse.
  • Postgres and Redis are deployed externally.
  • Deployed on Ubuntu on an AWS EC2 instance.
  • As previously stated, Cloudflare tunnel is providing TLS and acting as a proxy.

What I’ve tried

  • I have checked my config to ensure Discourse is expecting my forums hostname (forums.example.com)
  • Discourse has been configured for port 80 HTTP as Cloudflare is handling TLS
  • When HTTP was did not succeed, I attempted to force Discourse to only SSL by providing a self signed certificate and redirecting Cloudflare to Discourse on port 443 using HTTPS protocol.
  • I ensured that Cloudflare is passing forums.example.com to my site. I know it is since any other host header causes Discourse’s NGINX to 404.

Relevant Logs

  • This part is mildly tricky. Discourse isn’t providing anything server side (that I’ve seen) and whether I use Bitwarden, iCloud Keychain, Chrome, or Firefox the result is the same.
  • Logs for the passkey itself are nearly non-existent
  • The most useful bit I’ve found was from the Firefox / Chrome devtools console when trying to create a new passkey. The following is returned:
{
  "errors": [
    "The origin of the authentication request does not match the server origin."
  ]
}

This is a pretty clear indication there is something wrong going on between the client and discourse (AKA the proxy) but these logs don’t indicate what information is being passed back and forth to troubleshoot this further.

Can anyone help me figure out any other settings or log locations to check, or have any other recommendations for troubleshooting? I find it unlikely, but I suppose a mishap in the Nginx config could also be a factor. I essentially have a double proxy between the client and Discourse with both CloudFlare and Nginx running… Should I be reconsidering any bit of this setup?

In terms of priority, certainly nice to have fixed but since I only have about 8 users of a few thousand using passkeys (with other login methods working just fine) I’m not stressing over it too much.

2 Likes