I’ve running an unraid server behind a pfsense firewall.
Unraid is running SWAG which is acting as a reverse proxy, and a tiny webserver. ( Nothing really but a splash page)
I’ve configured SSL certificates, I’ve forwarded 80 and 443 to my swag container which handles the reverse proxy for any wildcards I plan to add down the line.

I can access my swag landing page via public IP, but not by URL.
I’ve got A record configured, which gets routinely updated via cloudflare docker container, and a www cname point to @.

When I try and navigate to my url, I get a cloudflare 522 error.

On my pfsense box I’ve uninstalled PFblocker, thinking that may have been the issue.
I have run packet captures on the internal host IP address, and see the TCP packets for 80 and 443 get to the host just fine. So there is no blocking of cloudflares IPs.

I used this to see what my issue was:

And here’s what I got.

11237×3058 147 KB

May I ask you to re-check if Cloudflare is allowed to connect to your origin host to as follows in the below article?

• https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

Nevertheless, Cloudflare IP addresses list can be found here:

• https://www.cloudflare.com/ips/

So, your Website is not secured?
May I ask before moving to Cloudflare, was your Website working over HTTPS connection or not?
If yes, is the SSL certificate self-signed or from Let’s Encrypt, or purchased maybe for your domain name + www prefix + some other possible (or not) sub-domain?

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

Regarding Cloudflare 522 error, may I suggest you to try looking into below articles to troubleshoot the issue:

Both are proxied and set to ?

From your screenshot I see:

• HTTPS → response status of 400.

May I ask if you can post a screenshot of this 400 error? Is it coming from your origin host/server or rather from Cloudflare?

How about below two options at Cloudflare dashboard for your domain name?:

1. Always Use HTTPS
2. Automatic HTTPS Rewrites

Are they enabled or disabled?

As I said, not the issue.

Incorrect. My website is secured.
There was no before cloudflare. SSL cert is from lets’ encrypt. SSL option is Full, I’ve tried every option. Changing this setting did not remedy the issue.

I’ve read all the community tips, and about 12 hours of testing,rechecking, google article reading etc.

Correct

This is coming from the Cloudflare diagnostic. From the client, I get 522.

I am unable to find these in the dashboard.

Ou sorry, my bad. I didn’t linked this properly.

• Kindly, navigate to the SSL/TLS tab → select Edge Certificates and scroll down a bit to see these sections

Always use HTTPS is off.
Automatic HTTPS Rewrites is on.

Does something change when you set as follows from below?:

• SSL/TLS → Full (Strict) SSL
• Always Use HTTPS → on (enable)

Give it a few minutes to apply the changes.
Try using a different Web browser, if not already, if any difference.

Furthermore, may I ask what is your domain name so I could also check this too, if it’s appropriate to share?

And both are pointed to the pfSense IP address or the origin host/server (where the proxy is installed)?

Does pfSense need … hm, the SSL certificate to be added or, I might be thinking of something while writing … sorry.

Have you checked your web server config file?

No change

Sorry cannot post that.

Yes I have, everything appears to be configured correctly.

Bumping for the morning crowd.

Still looking for resolution.

Does it work with HTTPS if it’s set to DNS Only?

YES IT DOES! I definitely don’t want my public ip out there…does this information offer a resolution??

It certainly indicates that something at your end is blocking Cloudflare.

Is this Cloudflare’s public IP? Or is it your origin’s public IP?

Is there a way to temporarily take pfsense out of the connection?

oh ok. Interesting. I’ve wiresharked the host machine, and the traffic is getting to the host machine.
I can acess my swag landing page from my ISP public IP, NOT from the cloudflare IP.

And what about back out? It’s stopping somewhere.

That doesn’t surprise me, as Cloudflare won’t forward the request if there’s no hostname.

You’re the man! I ended up adding the cloudflare ip list as an alias, then put a pass rule on WAN for traffic from that alias to host machine.

Works perfectly now! Thank you so much!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.