🐛 BUG: fetch() call to public Zero Trust URL from Worker results in error 1000

[Shotster]

Which Cloudflare product(s) does this pertain to?

Wrangler

What versions are you using?

Wrangler v3.103.2, Node v22.13.0

What operating system and version are you using?

macOS Sequoia 15.2 (Intel)

Please provide a link to a minimal reproduction

No response

Describe the Bug

In versions of wrangler after 3.100.0, making a fetch() call to one of my public Zero Trust URLs results in a Cf Error 1000. Additional details and screenshot are in this Cf forum post.

I've tried every version of wrangler since 3.100.0 with the same result. Wrangler version 3.100.0 is the latest version that works as expected. I've been using Cf Zero Trust public endpoints in lieu of ngrok for weeks without issue. The problem arose when I updated from wrangler version 3.100.0 to the latest (3.103.2).

Additional info

Just wanted to note that this issue pertains to local development with wrangler dev.

Please provide any relevant error logs

No response

[emily-shen]

Can you check if this pre-release fixes your issue? Thanks 🧡
npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/8471/npm-package-wrangler-8471

[Shotster]

Unfortunately, the pre-release version disregards the original request domain. See attached screenshots:

Pre-release wrangler

wrangler version 3.100.0

Is that intended behavior? I've been using local domains defined in etc/hosts for a long time without issue, but the latest pre-release completely breaks my development setup. 😐

EDIT

Oh, forgot to mention that I'm running a reverse proxy on my local machine via Docker, and everything has been working fine until wrangler versions after 3.100.0.

[Shotster]

Just a quick follow-up to note that the "proper" host is there in the x-forwarded-host header. Following is a snippet of the relevant request headers.

[
  [
    "cf-connecting-ip",
    "127.0.0.1"
  ],
  [
    "host",
    "127.0.0.1:50334"
  ],
  [
    "x-forwarded-for",
    "::1"
  ],
  [
    "x-forwarded-host",
    "cloudflare.local"
  ],
  [
    "x-forwarded-port",
    "443"
  ],
  [
    "x-forwarded-proto",
    "https"
  ],
  [
    "x-forwarded-server",
    "docker-desktop"
  ],
  [
    "x-real-ip",
    "::1"
  ]
]

Is there any reason the host of the worker's incoming request couldn't be set to the value of the x-forwarded-host header?

The bottom line is that my worker needs to handle a "real-world" request, and that means a "regular" domain with no port. It makes no sense for me to complicate my worker logic to handle a URL I'll never actually encounter when the worker is deployed - especially when this used to work without issue.

[emily-shen]

Thanks for taking the time to try that out, the info you've provided is super helpful - very much still a WIP and not a final fix :)

[mhamann]

I think I'm hitting this same issue on wrangler 4.x. I have a functions handler that reverse-proxies API calls to a public hostname proxied through cloudflare (uses a CF LB and Zero Trust tunnel). I get Error 1000 on those calls. :-(