CF Proxied DNS painfully slow

As you can see from this webpagetest report : brightlinesdesign.c...Milan, Italy - EC2 - WebPageTest Details the initial connections to my website using CF proxied DNS are painfully slow, over 6 seconds for the first redirect and over 5 seconds for the second one. This does not happen if I switch the Proxied DNS off. I noticed that if I switch to SSL/TLS to “Flexible” this issue does not happen anymore. Unfortunately this setting is not recommended. As soon as I switch again to “SSL/TLS → Full Strict”, the issue happens again.

Could you please help me investigate what could be the problem?

Sounds to me like you have an insecure setup at your origin host/server.

Before moving to Cloudflare, was your Website working over HTTPS connection?

Did you had valid SSL certificate installed or not at your origin host / server for your domain name (covering both naked domain, www, and other sub-domains)?

Solution:

Here is a way to re-check if you correctly setup the SSL for your domain with Cloudflare:

In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare Origin CA Certificate:

1 Like

Hello @fritex, many thanks for your reply. Yes I confirm that I have a valid certificate on my server issued by let’s encrypt for both the root domain and all subdomains via a wildcard domain.
I took screenshots


Right now I have disable the DNS proxy on my website, so it can also be verified directly if you want, just access brightlinesdesign.com and check the certificate.

Any other suggestions?

Great. Full (Strict) SSL should work well with it.

I am not sure in which moment, with proxied or unproxied, or Flexible or Strict, but I managed to capture an issue with 301 redirections too:

Does this still happen? I guess that’s a temporary issue because I was changing the encryption to Flexible

The diagnostic center: Diagnostic Center | Check SSL and Test Website Security | Cloudflare
only reports the issue I am experiencing, slow_ttfb_on_cache

This is the command I am using to try to debug: curl -s -D - -o /dev/null https://brightlinesdesign.com -vvv

It should just redirect to www. but it takes about 5 seconds. Removing https and using http it’s very fast

From time to time very few requests work without delay, like this one:

HTTP/2 200
date: Wed, 19 Jan 2022 21:39:32 GMT
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
strict-transport-security: max-age=15552000; includeSubDomains; preload
x-frame-options: allow-from SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: public, max-age=31536000, must-revalidate
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
report-to: {“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v3?s=U2pUVC539H48bji7ZpSx6L8hVddvGhEO6N%2Br%2BtR7FRP4FeEvL1KwksHy%2BuFsY7aSjnuVRur11fYVxJJPNGZ607u5YJCrl4iIhy0XwFgtF5BbbU2I6JU%2FyI6%2B9aVByoE7DMXMCzNAv0u0Vc%2B6"}],“group”:“cf-nel”,"max_age”:604800}
nel: {“success_fraction”:0,“report_to”:“cf-nel”,“max_age”:604800}
server: cloudflare
cf-ray: 6d03375e5ab559fb-MXP
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

One more hint: purging the cache from CF website seems to cause more requests to return correctly without delay

In order to narrow down the issue, I have made the following setup:
test.brightlinesdesign.com → Proxied through Cloudflare (Orange cloud)
brightlinesdesign.com → No proxy, direct host access (Grey cloud)

ping test.brightlinesdesign.com takes about 5 seconds to reply to the first ping. The first ping itself is short (about 15 ms) but still it takes about 5s to get to the first ping

ping brightlinesdesign.com starts immediately to reply to pings, no delay

With this setup I have ruled out any issue related to the webserver (it’s not running at all). I hope this helps someone try to get to the root of the problem. Thank you

For anybody else having this issue, this is how I resolved it:

sudo nano /etc/nsswitch.conf

Change: hosts:                             files mdns4_minimal [NOTFOUND=return] dns mdns4
To:     hosts:                             files mdns4_minimal [NOTFOUND=return] dns

save, restart avahi daemon
sudo systemctl restart avahi-daemon

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.