Here another CORS headache, but with a slightly different setup

[SmartPhoneLover]

shlink-web-client version

3.10.2

How do you use shlink-web-client

Docker image

Summary

After posting the same question in the wrong repo, I create it here again, but explaining the situation a bit better.

THE ISSUE
After trying to add the Shlink instance (by now only a single one) into Shlink Web Client, I see the following error in the web console of my browser:
[HTTP/3 404 Not Found 343ms]
Cross-Origin Request Blocked: Same-Origin Policy disallows reading the remote resources at https://<subdomain>.<base_domain>.xxx/rest/v3/health. (Reason: Unsuccessful CORS request). Status code: (null)

So, it's a bit different thatn others I have seen there, as the error message doesn't show anything related to missing headers, or cookies. It's actually the same error as shown here, with a different setup.

I have tried enabling/disabling some settings from my CF account (affected base domain), like: adding a page rule to disable security for the subdomain+base-domain affect; configuring the CORS section for the service in the CF tunnels (App Access) as: Access-Control-Allow-Origin (allow all origins), Access-Control-Allow-Methods (allow all methods), Access-Control-Allow-Headers (allow all http headers) and Access-Control-Max-Age (86400) + a Login policy to allow everyone to access to it. But, nothing worked.

I also tried with the public (official) Shlink Web Client version, but the same error:

Oops! Could not connect to this Shlink server.
Make sure you have internet connection, and the server is properly configured and on-line.

[HTTP/3 404 Not Found 343ms]
Cross-Origin Request Blocked: Same-Origin Policy disallows reading the remote resources at https://<subdomain>.<base_domain>.xxx/rest/v3/health. (Reason: Unsuccessful CORS request). Status code: (null)

MY SETUP
My current setup consists of:

Environment...

• Using Docker to have both Shlink instances up and running.
• Using Cloudflare to allow exposing the Shlink (server) part.
• Using Nginx Proxy Manager to provide HTTPS for Shlink WC for local access ONLY.

Shlink stuff...

• Shlink: This is exposed with a CF Tunnel, using a subdomain of my base domain (ie.: links.my-website.com), and configured via env variables to serve links as "https://links.my-website.com/s/xxxx". I have also configured the "IS_HTTPS_ENABLED" variable as true.
• Shlink Web Client: It's not exposed publicly, but accessible with HTTPS through NPM reverse-proxy for LAN only, as: "https://shlink.local.my-services.lan". Its certificate was generated as a wildcard certificate with the DNS challenge method, using my Cloudflare account (this certificate is used also by 40+ services on my network).

I have configured to use HTTPS (always), and the settings for the base domain for SSL as 'Full (strict)'.

[SmartPhoneLover]

This is the output of curl for "https://files..com":

curl -v https://links.<my-website>.com/rest/v3/health
*   Trying <clodflare-ip>:443...
* Connected to links.<my-website>.com (clodflare-ip) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=<my-website>.com
*  start date: Sep 10 14:37:44 2023 GMT
*  expire date: Dec  9 14:37:43 2023 GMT
*  subjectAltName: host "links.<my-website>.com" matched cert's "*.<my-website>.com"
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle xxxx)
> GET /rest/v3/health HTTP/2
> Host: links.<my-website>.com
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 404
< date: Tue, 03 Oct 2023 21:15:26 GMT
< content-type: text/html; charset=utf-8
< x-request-id: xxx
< cf-cache-status: DYNAMIC
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; includeSubDomains; preload
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: <cf-ray-id>
< alt-svc: h3=":443"; ma=86400

[SmartPhoneLover]

This is the output of the other error:

XHRGET
https://links.<my-website>.com/rest/v3/health
[HTTP/3 404 Not Found 343ms]

	
GET
	https://links.<my-website>.com/rest/v3/health
Estado
404
Not Found
VersiónHTTP/3
Transferido1,20 KB (tamaño 979 B)
Política de referenciastrict-origin-when-cross-origin

    	
    access-control-allow-origin
    	*
    alt-svc
    	h3=":443"; ma=86400
    cf-cache-status
    	DYNAMIC
    cf-ray
    	xxx
    content-encoding
    	br
    content-type
    	text/html; charset=utf-8
    date
    	Tue, 03 Oct 2023 21:32:43 GMT
    nel
    	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    report-to
		xxx
    server
    	cloudflare
    strict-transport-security
    	max-age=15552000; includeSubDomains; preload
    x-content-type-options
    	nosniff
    x-request-id
    	xxx
    	
    Accept
    	*/*
    Accept-Encoding
    	gzip, deflate, br
    Accept-Language
    	es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Connection
    	keep-alive
    Host
    	links.<my-website>.com
    Origin
    	https://app.shlink.io
    Referer
    	https://app.shlink.io/
    Sec-Fetch-Dest
    	empty
    Sec-Fetch-Mode
    	cors
    Sec-Fetch-Site
    	cross-site
    User-Agent
    	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
    X-Api-Key
    	xxx