Domain through DNS-only OK, but not proxied

I have my domain through and have changed my NS over to the two provided by cloudflare.
I am able to gray cloud access my CNAME records for subdomains through https (it shows not secure) but I can see the page content.
If I turn on proxied (orange cloud) in DNS, I receive a 522 error and I see no incoming connections from cloudflare.
I ran the diagnostics on cloudflare of one of the CNAME records that I can access via DNS-only. I turned it onto proxied prior to running the test.

  • Check nameservers: Looking good!
  • Check DNSSEC config: no_dnssec_found
  • Check DS record: not_found_ds_record
  • Check if connecting to domain com works: Looking good!
  • Check if connecting to www domain com works: Looking good!
  • No MX record
  • Check for redirect loop: request_failed
  • HTTPS status: fail
  • Redirecting unencrypted HTTP traffic: request_failed
  • Check the status of encrypted traffic: Looking good!
  • Mixed content: request_failed
  • Check site speed (TTFB): request_failed

Any help would be greatly appreciated!

What does your CNAME point to? Something else in your own domain? Or is it outside your domain?

The CNAME records (subdomains) point back to the main domain.
CNAME record: Name - nextcloud | Content - | Proxy status - Proxied
A record: Name - | Content - IPv4 address | Proxy status - Proxied
Both of these result in 522 error.

CNAME record: Name - ombi | Content - | Proxy status - DNS only
This one lets me through with other configuration left the same. (but with cert not secure error that i click proceed anyway)

A far as those diagnostics, those align with what you’re seeing. DNSSEC can be ignored, as you most likely don’t have that enabled. The rest is just because of the 522.

I’m quite sure Cloudflare is still trying to reach your server. Which logs are you checking?

Since it’s NextCloud, are those subdomains on its trusted domain list?

Nextcloud was just an example. I have tried my grocy, sonarr, radarr, tautulli docker containers. DNS only “OK”, proxied through cloudflare and crickets.
I run an untangle router/firewall and I was monitoring every incoming session for anything over 443. DNS entries are port forwarded just fine to my Traefik container over 443, but no entries/records when cloudflare proxy is used.

Tried reaching out to Verizon FiOS last night to see if they are blocking any CF IPs but they were rather useless. I am not sure if there is a way for me to check.

It was definitely something with my certificates. I switched over to NginxProxyManager and utilized their DNS Challenge to hit cloudflare and that seems to have fixed it.


This topic was automatically closed after 31 days. New replies are no longer allowed.