CloudFlare timeout (522) - but no problems when specifying DNS in 'hosts' file, or disabling CloudFlare

Hi all,

I am at my wit’s end with this one - I am hoping someone can point me in the right direction :doge:

My sites all work fine if I set the DNS via my hosts file, or by disabling the Cloudflare functions.

If I enable Cloudflare to handle DNS & connection, I get a 522 - a timeout after the initial handshake… so I believe I can assume that this is a Cloudflare issue?

I am using a Synology reverse proxy (NGINX) that (in my case) takes standard 80/443 and sends onto other internal hosts:ports according to the host header (sub-domain). Perhaps Cloudflare is incompatible with something about this?

More than happy to help a Cloudflare dev look deeply into this issue :wink:

Cheers!
Matt

Is your origin listening on HTTP or HTTPS or both? What is your SSL mode set to (Off, Flexible, or one of the Fulls)?

1 Like

Both/either. For each service, 80 and 443 works fine (without Cloudflare)

Flexible - but I am trying FULL (Strict) as I have a functional wildcard cert that matches the domain name. Cheers for drawing my attention to that setting, I thought flexible meant either HTTP or HTTPS :slight_smile:

Thanks for the quick reply.

Matt

If you have a valid certificate Full strict should be the mode you aim for.

If it listens on both ports it should usually work. Have you verified you entered the right IP? Are there any blocks or firewall entries on your server which could prevent Cloudflare from connecting?

Can you post the domain?

1 Like

Hi
I’m having the same issue
Browsing the IP address of the server works fine in https
Browsing through Cloudflare dns - doesnt work

1 Like

Yep - and I have a DDNS updater coded to update the 1 A record, which I have checked multiple times. The rest are CNAMEs which rely on the A record.

I whitelisted all 14 of the Cloudflare subnets, with no restrictions, and I have no Deny rules active which could supersede that.

After changing the SSL mode I am maybe seeing some different behaviour - it occaisionally seems to connect somewhat, but ultimately I see the 522 again

RE the domain; if you can see the logon pages for these then it’s fine:
https://hass.homeai.co
https://sonarr.homeai.co

Cheers for your help!!

Matt

I, too, get for both hosts a connection timeout. The most likely case would be that something on your server prevents Cloudflare from connecting. I’d flush all firewall rules and try to check if it can connect if there is no security layer inbetween. If it still cant, the error must be somewhere else. If it can, you’d know something in your firewall keeps Cloudflare from connecting.

Thanks so much for your efforts @sandro - I went through an exasperating process of elimination, and found that ports 80 and 443 are not being forwarded by my router from WAN to LAN - even after a factory reset, update, reconfigure etc. All other ports are forwarding fine. I have been through enough hours and factory resets to deduce that a replacement router is the easiest solution.

Just an idea, could it be the router automatically reserves these ports for its own web management console (if there is such)? If that is the case, maybe try disabling it and the forwards might work.

Yes that’s very insightful - indeed one of my struggles was finding the configuration file that was holding 80 & 443 for redirection to the admin console port.

Unfortunately, freeing these ports up has not resulted in the correct redirection. It’s very frustrating, redirecting 443 was working until at least several weeks ago. I have been having so many issues with this router lately, that I’m happy to to spring for a new Google WiFi :slight_smile:

Which router is it?

It is a Synology rt1900ac - which has been both very powerful and interesting and yet problematic from the start.

Lately it’s really been sub-par, I have a lot of IOT items around the house and they have not been connecting that well at all, despite several factory resets. Plus I have a lot of dark spots. The fact that I cannot forward 80 and 443 is new though. Time for something new I think.

A quick search didnt reveal all too much, however I came across some VPN plus package which is supposed to do something in regard to 443 (not sure if 80 as well), though I am not sure if it reserves it or does the exact opposite. Maybe worth trying.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.