There are 2 errors actually, 403 and 525
Error 403: Forbidden
If you’re seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server. The top reasons for this error are: 1. Permission rules you have set or an error in the .htaccess rules you have set 2. Mod_security rules. 3. IP Deny rules Since Cloudflare can not access your server directly, please contact your hosting provider for assistance with resolving 403 errors and fixing rules. You should make sure that Cloudflare’s IPs aren’t being blocked.
Cloudflare will serve 403 responses if the request violated either a default WAF rule enabled for all orange-clouded Cloudflare domains or a WAF rule enabled for that particular zone. Read more at What does the Web Application Firewall do? Cloudflare will also serve a 403 Forbidden response for SSL connections to sub/domains that aren’t covered by any Cloudflare or uploaded SSL certificate.
If you’re seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:
- Web Application Firewall challenge and block pages
- Basic Protection level challenges
- Most 1xxx Cloudflare error codes
- The Browser Integrity Check
- If you’re attempting to access a second level of subdomains (eg-
*.*.example.com) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate.
If you have questions contact Cloudflare Support and include a screenshot of the message you see or copy all the text on the page into a support ticket.
Error 525: SSL handshake failed
525 errors are often caused by a configuration issue on the origin web server. Error 525 occurs when these two conditions are true:
- The SSL handshake fails between Cloudflare and the origin web server, and
- Full or Full (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.
Resolution
Contact your hosting provider to exclude the following common causes at your origin web server:
- No valid SSL certificate installed
- Port 443 (or other custom secure port) is not open
- No SNI support
- The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server
If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors. Also, nginx includes SSL errors in its standard error log, but may possibly require an increased log level.