Thanks Pavel, please let me know when you figure it out.
Some additional information.
I didn’t touch service configuration.
I changed server implementation temporary to handle pure HTTP to exclude any issues related to TLS on my side.
I configured CF DNS to proxy custom domain to dedicated ip and it RESPONDS.
Wierd.
How can server be accessed through dedicated IP if that’s the only thing CF proxy knows about?
❯ curl -vi http://<dedicated-ip>:443
* Trying <dedicated-ip>:443...
* Connected to <dedicated-ip> (<dedicated-ip>) port 443
> GET / HTTP/1.1
> Host: <dedicated-ip>:443
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Empty reply from server
* Closing connection
curl: (52) Empty reply from server
Empty response? Let’s try default port 80.
❯ curl -vi http://<decicated-ip>
* Trying <decicated-ip>:80...
* Connected to <decicated-ip> (<decicated-ip>) port 80
> GET / HTTP/1.1
> Host: <decicated-ip>
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< location: https://<decicated-ip>/
Permanent redirect to https? Huh.
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <dedicated-ip>:443
* Closing connection
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <dedicated-ip>:443
We had a bug that, under certain conditions, caused proxy to keep both old and new service config. After your service config got changed (http + tls handlers removed), the proxy had both old and new configurations for port 443 of your app and got confused whether or not it needs to terminate TLS.