522 error - trying to host on android phone termux nginx mobile connection with ipv6

I’m trying to use cloudflare to be able to access my phone’s web server from places where there is no IPv6 access. I have an IPv6 address accessible from outside. Apparently cloudflare does this automatically. But 522 Host error happens.

I have added the AAAA record to point to the IPv6 address that the ip addr's wlan1 interface gives. There is another IPv6 address in the same subnet that is accessible from the same network locally, but not outside. There are like way more than dozen interfaces showing up, something like rmnet_data0 to data9 and what not. When I try to use freedns curl script to update the ipv6 on their service, it sets me up with that wrong IPv6 address for example, but I guess this detail is besides the point.

What I have read the info here what 522 means I guess it’s most likely that my ISP is blocking Cloudflare, but I would want to rule out other possibilities first before I contact my ISP.

So on my phone there is no root access, So I’m trying to host on the port 8080. I have tried with nginx on termux and simple http.server module of python. I can access the webserver with http://[ipv6]:8080 this kind of URL from outside the network.

For troubleshooting the traceroute -6 <mydomain> goes after 2606:4700:3036::6815:1ef1 which is a cloudflare’s ip. Same if ping <mydomain> or ping -6 <mydomain> it pings the domain but it has that same cloudflare ipv6 address in parenthesis. Sometimes when I traceroute it without -6 flag it goes for the cloudflare’s IPv4 address or Since my phone is not rooted the tools like netstat -tapen or iptstate won’t work I guess. netstat with those flags gives no support for 'AF INET (tcp)' on this system. I have tried to check my phone that I don’t have any firewalls. I have tried disabling netguard and disabling private dns. I tried using the cloudflare’s private dns on phone even but no.

Is there a way to test if Cloudflare IP or port 8080(?) is blocked for incoming traffic at ISP’s? Should I try some other big ports, could that make a difference? I have tried 8000. Though Cloudflare supports only limited number of ports anyway. The ISP is elisa saunalahti and its 4g mobile internet connection is my connection.

I was having performance issues and 522s as well. I disabled the Cloudflare cache and everything is working much better. There is something wrong when I have cache enabled.

Hopefully you have the SSL certificate at your host/origin.

Moreover, regarding the compatible ports (8080 is compatible) you can see the list here:

Also to note here about firewall, maybe you would need to add Cloudflare IP addresses and allow Cloudflare to connnect to your host/origin server?

You mean you put :orange: to :grey: for the AAAA records or something other like Page Rules, etc.?

I don’t have the SSL certificate at my host/origin. I have the “flexible” plan picked up at Cloudflare’s settings, so a problem with the encryption between cloudflare and the host/origin should be out of the question(?)

I have tried setting Cloudflare to development mode (bypass cache) if that could help, but that’s not helping either.

With gray cloud (DNS only) I can access my web server. The problem is that I want the proxy, because vast majority of users don’t have IPv6 support so they can’t access my web server with the gray cloud.

Kindly, may you reply with your domain name?

Even better, can you reply here with the output result which you get when you open the next URL in your Web browser for yourdomain (replace yourdomain.com with your actual domain name):

1st with :grey: and 2nd using :orange: cloud (should be different)

Kindly, read more about why Flexible is not a great and recommend option here below:

Nevertheless, that would mean your host/origin is obviously working with HTTP (for example port 80 or some other as listed on the link here: Identifying network ports compatible with Cloudflare's proxy – Cloudflare Help Center).

Okay, meaning :orange: would get you what you want, but when you use :orange: you got 522 error?
Who is your hosting provider?
Is Cloudflare allowed to connect to your host/origin? (see the Cloudflare IP list and how to allow them).

  • Make sure that you’re not blocking Cloudflare IPs in .htaccess, iptables, or your firewall.
  • Make sure your hosting provider isn’t rate limiting or blocking IP requests from the Cloudflare IPs and ask them to whitelist the IP addresses here: https://www.cloudflare.com/ips . If the IPs that fail are consistent each time, that indicates some of the IPs in Cloudflare’s IP ranges are either being rate-limited or blocked by a network device at your hosting provider. Because Cloudflare operates as a reverse proxy the IP address your server will see is one of a limited number of Cloudflare IPs. In that sense, many actual visitors may all come from the same IP address, which can cause firewalls or security software that is not appropriately whitelisting the Cloudflare IP ranges to block this traffic as it may see it as excessive or malicious
  • If you are seeing 522 errors in certain locations only , it means you likely forgot to whitelist one of our ranges that corresponds to these locations, so double check to ensure all our IPs are whitelisted appropriately.
  • Please reach out to your hosting provider or site administrator to confirm if there are any load problems on your infrastructure.

If it still fails, at least you can reach Cloudflare Customer Support, you would login to your Cloudflare account and then contact Cloudflare Support.

With gray cloud:

  1. like you suggest (https and without specifying port 8080)
    “This site can’t be reached”
  2. then https and specifying port 8080:
    This site can’t provide a secure connection
  3. Then http and 8080
    "Error response
    Error code: 404

Message: File not found.

Error code explanation: HTTPStatus.NOT_FOUND - Nothing matches the given URI."

  1. Then with orange cloud and https without specifying port 8080:
    h=url redacted from here
    uag=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.2 Chrome/83.0.4103.122 Safari/537.36

  2. https and specifying 8080
    “This site can’t provide a secure connection”

  3. http and 8080
    h=url redacted from here
    uag=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.2 Chrome/83.0.4103.122 Safari/537.36

A note from the results of 4. and 6. The IP it lists is not the IP that accepts inbound connections. It’s another IPv6 address.

Yeah, if I get past this problem, then I will consider setting up SSL and switch to “full” mode.

Because this system doesn’t have a root, I can’t run this server with port 80, the Android OS that is not rooted doesn’t accept inbound connections from port 80. It’s said somewhere in the termux wiki page but I can’t find it now, so the tutorials tell people to set things on ports over 8000, so that’s why I am using port 8080. Port 8080 is listed as one of the supported ports on Cloudflare when using HTTP .

The last thing you mention that “Is cloudflare allowed to connect to my host/origin?” is the question I am wondering too. How can I know if host/origin is allowing connections or not? I don’t have an apache running so I don’t use .htaccess files, the android OS can’t run iptables, needs root so I don’t know, and as for firewalls I am not at least aware of having one that is blocking.

How can I make sure the hosting provider is not rate limiting or blocking IP requests from the Cloudflare IPs? Do I have to ask them if they are blocking, I can’t find that out without asking them? At least there has not been many connection attempts from Cloudflare to my IP, since this is a test server on the mobile phone, so not really any traffic from Cloudflare to the IP.


I got my problem solved! It was a carelessness and a still ongoing confusion about the IPs on the mobile device on my part.

So the other day I asked my friend with ipv6 support to test whether things worked “from the outside” and we concluded that they do work. However at that time I was experimenting the ipv6 address on the interface rmnet_data1 rmnet_data3 and wlan1. The end result actually was that to the outside the ipv6 address on rmnet_data1 works, while for me in the same network as the web server that address does not work when trying to reach it for example with http://[ipv6]:8080 but the ipv6 address on wlan1 works. Yesterday we did a re-test to only find out that this was the case. After this I have set the ipv6 address from rmnet_data1 to point to my domain and voila, it works for them, and also to the ipv6 crippled people. Also it works for me on the same network.

My next problem that I have started to tackle is if I could access my web server without needing the information about the port on the address bar while still running the web server on a port higher than 1000 (unrooted android limitation). If I set a page rule here on cloudflare with permanent redirect from domain to sub.domain:8080 I can then connect to just “domain” without needing to specify the port, but the redirection will show up on the address bar with the 8080 specified. Also this way I can’t access files directly like domain/file.jpg, the redirection breaks. Maybe I will create a new topic on this matter since this problem is not about the topic in this thread.

edit: One solution that works to the next problem above is the workers mentioned here Can I have the domain name stay instead of it re-routing to my web server - #2 by sdayman

1 Like