我的域名只要开启了CDN代理就会出现521错误(my eng is bed)

Website, Application, Performance DNS & Network
1

What is the name of the domain?

akiyama301.com

What is the error number?

521

What is the issue you’re encountering

if i open ipv4’s cloudflare cdn dns, i will get 521 error

What steps have you taken to resolve the issue?

  1. cheack nginx config. my config is:
server {
    listen 80;
    server_name akiyama301.com www.akiyama301.com;

    # 将 HTTP 请求重定向到 HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name akiyama301.com www.akiyama301.com;

    ssl_certificate /etc/ssl/certs/akiyama301.com.pem;
    ssl_certificate_key /etc/ssl/private/akiyama301.com.key;

    # SSL 配置 (更现代、更安全)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_ecdh_curve prime256v1:secp384r1:secp521r1; # 明确指定椭圆曲线

    # Cloudflare IP 信任和真实 IP 获取
    # Cloudflare IP 地址段 (IPv4)
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/13;
    set_real_ip_from 104.24.0.0/14;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;

    # Cloudflare IP 地址段 (IPv6) - 如果您的服务器支持 IPv6
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2a06:98c0::/29;
    set_real_ip_from 2c0f:f248::/32;

    # 从 CF-Connecting-IP 请求头中获取真实 IP
    real_ip_header CF-Connecting-IP;

    # 网站根目录
    root /var/www/akiyama301.com;  # 确保这是你的网站根目录
    index index.html index.htm;

    # 其他站点配置
    location / {
        root /var/www/akiyama301.com;
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }
}

so like no problem.

  1. ufw off.

  2. curl -v test

  3. cloudflare cdn off --this can i site :handshake: but i need cdn.

What feature, service or problem is this related to?

I don’t know

What are the steps to reproduce the issue?

  1. link akiyama301.com
  2. maybe can curl -v 443/https
2

Most likely the entries in cloudflare are configured incorrectly.

4

how can i cheack that? I don’t know. if dns cdn off site is ok.

5

You can view the records in the DNS settings, where they were configured.
Did you merge the certificate with the root certificate of the domain after acquisition, or is it self-signed?
Was the certificate generated and signed correctly?

NGINX settings for Cloudflare should be configured as follows:

nginx/config.d/default.conf

server {
    listen 80;
    server_name YOUR_IP_ADDRES;
    return 301 https://$host$request_uri;
}
server {
    listen 80;
    server_name akiyama301.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name akiyama301.com;
    error_log /var/log/nginx/error.log error;
	access_log off;
    ssl_certificate /etc/ssl/certs/akiyama301.com.crt;
    ssl_certificate_key /etc/ssl/private/akiyama301.com.key;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'HIGH:!aNULL:!MD5:!3DES';
	set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Referer $http_referer;
		proxy_set_header Cookie $http_cookie;
    }
}

The entries for your case will look like this:

A akiyama301.com YOUR_IP_ADDRES Proxied Auto 
A www YOUR_IP_ADDRES Proxied Auto
6

ssl from cloudflare origin ca, md5 cheack no error, is .pem.
i not dhparam.pem

7

image
image1915×208 26.6 KB

my dns is ok, edited my vps ipv4 addres.

8

my nginx config now is:

server {
    listen 80;
    server_name YOUR_IP_ADDRES;
    return 301 https://$host$request_uri;
}
server {
    listen 80;
    server_name akiyama301.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name akiyama301.com;
    error_log /var/log/nginx/error.log error;
	access_log off;
    ssl_certificate /etc/ssl/certs/akiyama301.com.pem;
    ssl_certificate_key /etc/ssl/private/akiyama301.com.key;
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'HIGH:!aNULL:!MD5:!3DES';
	set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Referer $http_referer;
		proxy_set_header Cookie $http_cookie;
    }
}

I useed sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048 get dhparam.pem

but curl-v is:

C:\Users\Dell>curl -v akiyama301.com
* Host akiyama301.com:80 was resolved.
* IPv6: (none)
* IPv4: 104.21.32.1, 104.21.80.1, 104.21.16.1, 104.21.48.1, 104.21.96.1, 104.21.64.1, 104.21.112.1
*   Trying 104.21.32.1:80...
* Connected to akiyama301.com (104.21.32.1) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: akiyama301.com
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 24 Feb 2025 16:29:04 GMT
< Content-Type: text/html
< Content-Length: 167
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Mon, 24 Feb 2025 17:29:04 GMT
< Location: https://akiyama301.com/
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2scQYO3HaOXWQj8CPtRZqkGFHjVL8KK%2FQvCJhgcvuQJgOpQnnFagdZH1pMOTmyk9IR1x5ebBiJ8m1bM4WJhzGgMpR3PsY0pFFehx5MMs%2BnkxH1DKcoNN278qDjIbNUcP0Q%3D%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 9170d5180bcc19c5-KIX
< alt-svc: h3=":443"; ma=86400
< server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1754&rtt_var=877&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=78&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host akiyama301.com left intact

C:\Users\Dell>
9

Was the certificate merging performed?
Here’s an example:
cat certificate.pem private.pem > fullcertificate.pem

10

how can i to do? from cloudflare downloaded Origin server certificate

11

i did it. here is my site config:

server {
    listen 80;
    server_name 150.66.48.157;
    return 301 https://$host$request_uri;
}
server {
    listen 80;
    server_name akiyama301.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name akiyama301.com;
    error_log /var/log/nginx/error.log error;
	access_log off;
    ssl_certificate /etc/ssl/certs/akiyama301.com_full_rsa.pem;
    ssl_certificate_key /etc/ssl/certs/akiyama301.com_full_rsa.pem;
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'HIGH:!aNULL:!MD5:!3DES';
	set_real_ip_from 0.0.0.0/0;
    real_ip_header X-Forwarded-For;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Referer $http_referer;
		proxy_set_header Cookie $http_cookie;
    }
}
12

If you are using Flexible SSL mode, then a certificate is not required on the server, as the traffic between your server and Cloudflare is not encrypted. However, a certificate will be necessary if you are using Full SSL mode, since in this case the traffic between Cloudflare and your server is encrypted.

When you download the certificate from Cloudflare, if the certificate and private key are downloaded separately, they need to be combined using the cat command in the terminal. If you already have a certificate in .crt format, then it is not necessary to combine it with the private key for use in Nginx.

Regarding the certificate format, the .crt format is commonly used, but Nginx also supports the .pem format.

13

I have merged the pem format certificate and provided the nginx website configuration above. At present, the 521 error code is still not resolved.

14

Is Cloudflare being blocked by your iptables?

Check the terminal command:

sudo iptables -L -n -v

Pay attention to any lines that contain DROP or REJECT, as they indicate traffic is being blocked.

Make sure to verify the following:

  • Is the http {...} block in nginx configured correctly, along with the header forwarding?
  • Are the settings in Cloudflare configured properly?
  • Check the server logs: is Cloudflare trying to connect to your server, and what happens at that moment?
  • What SSL level are you using in Cloudflare (Flexible, Full, Full (Strict)), and does it match your server settings?

It’s very difficult to assist those who aren’t willing to put in any effort and ask basic questions. It’s in your best interest to provide details about what you’re trying to accomplish, as guessing can take a long time.

15

I have little to offer beyond implementing your suggestions, most of what I can offer is expressed in the question and my response. Since I am a newbie.

Chain INPUT (policy ACCEPT 5067K packets, 4883M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4570K packets, 4816M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         
root@h150-66-48-157:~#

image
image1942×826 101 KB

16

image
image1912×972 69.3 KB

17

my os is ubuntu22

18

@qth301 Could you change your nginx config back to what you had at the beginning? I think it made a lot of sense and is a much better starting point for debugging than what you have now.

19

I got my nginx from Claude, which is the one I originally asked the question in the community, which is the code block at the top of the page.

20

@knot I appreciate that you are trying to help others, but please restrict your advice to topics on which you have the knowledge to help others.
So far, some of your recommendations here have been unhelpful at best and introduce security risks.

21

Yes, I understand that. Can you use that again instead of the config that you now have?

I’d just suggest a few changes to the SSL section to keep things simple:

    # SSL 配置 (更现代、更安全)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

I removed ssl_ciphers and ssl_ecdh_curve and ssl_dhparam.