522 when accessing Cloudflare site with certain IPs

I’m on the Cloudflare free plan, using Cloudflare to proxy GitHub pages. Everything was working flawlessly until a few weeks ago, when accessing my site started returning 5​22 errors. I’m aware of what the 522 means, but the issue doesn’t appear to be with the origin server. It only happens when accessing it from certain IPs.

For example, around half of connections when using NordVPN result in a 5​22, and occasionally Google/Bingbot crawls also fail because of a 5​22. It doesn’t seem to happen with non-bot or non-VPN connections, though, which leads me to assume it’s related to the firewall. Sometimes after connecting with a VPN an event will show up in the firewall log (not always) that says “Managed challenge”, although there was never actually a challenge served (it was just the 5​22 error page). I tried creating a firewall rule that allows all traffic and overrides the managed rules (which I think might be the issue based on other threads I’ve read), but that doesn’t seem to have fixed anything.

I’ve tried pausing Cloudflare and it works perfectly fine, so it’s not a problem with the origin, and it’s not a problem with the origin blocking Cloudflare IPs because the error only happens sometimes.

Any suggestions?

In case anyone else is experiencing this issue (522 error while using Cloudflare over GitHub Pages), this worked for me:

Point the record for your sub/domain directly to your GitHub pages site (username.github.io). Don’t point wildcards (*.example.com); point the absolute domain (sub.example.com) to your pages site.

Also (this what I did wrong), don’t point your root A records to the GitHub Pages IPs (the ones starting with 185.199) then reference your domain in the CNAME’s content (example: if your domain is example.com, don’t add an A record for example.com (the root) and point it to 185.199.108.153, then point sub.example.com to example.com), because for some reason this will trigger the 522 error. Instead, always point the CNAME directly to your .github.io domain to avoid this altogether.

Someone on Severfault (https://serverfault.com/questions/975186/should-the-cname-reference-the-repo-when-hosting-multiple-sites-with-github-page) found this same issue 3 years ago, so it’s clearly not new but it has gotten worse recently for some reason (I had never experienced this problem until early June).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.