Error 522 from cURL and 502 in browser


#1

I have a pretty simple CF config:

  1. DNS “A” record pointing my domain name to my server at home (DNS + HTTP proxy)
  2. A couple of DNS "CNAME"s aliasing “www” and “droneci” to the same “A” record (DNS + HTTP proxy)
  3. I have a droneci server (standard web server listens on port 443) running on a host at home

I’ve verified (multiple times) the droneci server running on my host at port 443. My FW config port-forwarding WAN port 443 to port 443 of my droneci server. In fact, if I simply define a /etc/hosts entry pointing droneci.mydomain.us to my home server’s IP address, whether I hit it with a browser or use cURL, all works just fine. (NOTE: mydomain.us is NOT my actual domain name - I just didn’t want to post my domain name publicly here)

But as soon as I remove the /etc/hosts entry, which forces use of CF configs, in the browser I get a 502 error, and using cURL I get an error 522.

In fact, all I have to do in CF DNS config UI is turn off HTTP proxy for either of the CNAMEs and my requests work just great. But using CF’s HTTP proxy, I get these errors.

I’ve read through the troubleshooting steps for both of these errors and there’s nothing I can see I’m doing wrong. I did however notice 2 things:

  1. With CF HTTP proxy turned ON, nslookup for my domain name returns: 104.18.52.127, and 104.18.53.127. Neither of these 2 IPs appear in the CF IPs page: https://www.cloudflare.com/ips/

  2. A traceroute from my local machine to my droneci.mydomain.us is full of “*” in the output:
    (NOTE: Once again, mydomain.us is NOT my actual domain name - The output from traceroute is from the actual domain name.)

$ traceroute droneci.mydomain.us
traceroute to droneci.mydomain.us (104.18.52.127), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Does anyone have any suggestions/clues as to anything else I can do to diagnose the issue? Because as of right now my droneci server works perfectly fine IF I turn off CF HTTP proxy, which tells me my HTTP service, FW routing config, and all that is just fine.

Here’s another diagnostic piece of info as suggested by the support docs:

REQUEST: https://droneci.mydomain.us/cdn-cgi/trace
RESPONSE:
fl=4f334
h=droneci.mydomain.us
ip=216.113.160.77
ts=1533574268.028
visit_scheme=https
uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
colo=SJC
spdy=off
http=http/1.1
loc=US

Thanks.


#2

You have Cloudflare set to use flexible SSL which means http s requests to Cloudflare are proxied on port 80 to your origin. Your origin however is not listening on port 80. It is however listening on Port 443, so changing the SSL to Full on the Crypto tab should work assuming the origin has a cert of some kind installed.


#3

Thank you very much for that suggestion. That totally fixed it! :grinning: I already had a proper SSL cert from LetsEncrypt for my domain name, but I didn’t even know about CF’s handing of HTTPS requests being proxied on port 80 with the Crypto setting. I set it the crypto setting to “Full (strict)” and it’s working great now.

Thanks a bunch for your quick reply. :blush:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.