Error 521 only when passing through São Paulo

My website doesn’t work when trying to access from Brazil, specifically passing through São Paulo node.

Using a VPN with a US IP it works perfectly.

Domain: cloudstorm.directory

That implies your origin is rate limiting or blocking some of the Cloudflare IP ranges (different IPs are used in different Cloudflare locations).

Check your firewall configuration and talk to your hosting provider to ensure all of cloudflare.com/ips are fully allowlisted through any devices that block or rate limit packets / connections.

No Rate Limiting and no IP restriction enable, I had no time to setup these features yet because CF doesn’t allow me to test my app properly since Yesterday

Have you written to your host to confirm this? I can almost guarantee you that something on your server or in your host’s network is the cause here, hence you needing to allowlist everything on cloudflare.com/ips

1 Like

Hi Simon, I appreciate you’re trying, but I’m sure, let me describe the details:

  • Hosted on AWS
  • Security groups enabled to ports 443 and 80 with 0.0.0.0/0 source IPs
  • No proxy between ELB and EC2 instance
  • When disabling CF for this domain I can access from Brazil, otherwise the only way to open the website is routing via VPN using IPs from outside of Brazil

From Brazil

1 Like

I will DM you - if you provide your server IP I can show you more details.

For anyone else following along, Port 80 was showing a consistent TCP connection refusal - meaning a TCP RST packet is sent back to Cloudflare from the origin, causing the HTTP 521 error.

To fix this choosing Full Strict SSL (if you have a valid origin cert and intend to keep it up to date) is the best approach if Port 443 is accessible. If you must use Flexible SSL, then Port 80 has to be accessible to at least the Cloudflare IP ranges.

2 Likes

As for that: @wesley.milanWhy flexible SSL mode is not the best choice

Problem resolved enabling Full SSL. I don’t know why but even having the port 80 completely opened it was refusing connection, so the best option is always using Full SSL.

Here is the tool that Simon used to show me the problem, if anyone else is having similar problems you can test your application using https:// tcp.ping.pe

Thank you Simon one more time

1 Like

Should be Full Strict, Full is still insecure.

1 Like

Sorry my bad, is Full Strict

Glad you’re up & running! :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.