502 Bad Gateway, only when going through Cloudflare


I’m experiencing a strange issue that I’m having a very hard time troubleshooting.

An API endpoint on my site is returning a Cloudflare-branded 502 Bad Gateway error when the cookie header in the request exceeds 649 characters. Other headers seem not to matter at all in this instance.
Cloudflare documentation states that this has to be an error on my origin server.

The weird thing is that this exact request works perfectly fine when using the IP and a Host header directly, circumventing Cloudflare proxying - the size of the header does not matter at all in that case.

The server is running nginx with a very simple setup. I have confirmed that this is the virtual host both Cloudflare and the direct request are reaching.

server {
        listen 80;
        listen [::]:80;

        access_log  /var/log/nginx/site.access.log;
        error_log /var/log/nginx/site.error.log;

        root /var/www/html;

        server_name www.example.org example.org;

        location / {
                client_max_body_size 60M;

                fastcgi_buffers 16 16k;
                fastcgi_buffer_size 32k;
                proxy_buffer_size 128k;
                proxy_buffers 4 256k;
                proxy_busy_buffers_size 256k;

                proxy_read_timeout 90;
                proxy_connect_timeout 90;
                proxy_redirect off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto https;

I’ve ran a tcpdump -i any on my server while running the requests and the failing requests through Cloudflare don’t show up in the dump, while any other requests through Cloudflare, and the direct requests for testing, do. This indicates to me that the requests don’t reach my origin server at all.
Could this possibly be an issue with my CF site configuration or with Cloudflare itself?


So, you are proxying 8081 to 80.
May I also ask, running ISPConfig on 8081 port or some other app? - as it could may be configured to one of the supported and compatible ports with Cloudflare proxy mode :orange:.

Therfore, I would recommend using the one of the available, which works over HTTPS and you do not need to proxy it over the other port, rather keep using it over for example 2083, 2096, etc. with the SSL :wink:

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare Origin CA Certificate:

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

And seems to me you are running unsecured (HTTP) connection, correct?
Are you planning to go on HTTPS or not?

May I also ask, www or non-www?

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

Last but not least, kindly have a look here for more information regarding correct SSL settings at the SSL/TLS tab on Cloudflare dashboard:

In terms of a 502 error, may I suggest looking at the below article:

Furthermore, do not skip below step and kindly re-check if Cloudflare is allowed to connect to your origin host to as follows in the below article:

Nevertheless, Cloudflare IP addresses list can be found here:

1 Like

Hi! Thanks for your answer.

Yes, the tests I have done were on a Cloudflare setup with encryption set to “Flexible” due to certain vendor requirements.
I’ve switched to “Full (Strict)” on a setup for testing purposes and have replicated the issue, so I don’t think it is related to this specific point.

Cloudflare proxying was always turned on for this service and it is being accessed via HTTPS.

8081 runs the app that is to be exposed - the port is hidden with UFW, the only ports that should be visible to CF are 80 and 443. Nginx can connect to the app fine.
CF can connect to these and the rest of the service works as expected, only the specific case detailed seems to cause issues.

May I also ask, www or non-www?

All tests are done on non-www, but I can replicate the issue on the www equivalent.

I’ve again done some tcpdump captures directly on the container the app runs in and on the whole system with CF set to no encryption (in order to observe HTTP requests), and the requests that are to end up in a 502 never seem to even arrive on the origin server. Succeeding requests are captured fine.
This confuses me greatly, as everything on CF’s side points to the error being on my origin server.

Is there anything else I could do to troubleshoot this?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.