Error 522 when proxied, when DNS only it works fine

DNS & Network
#1

I’ve read the 522 possible fixes and I dont what is my error. My htaccess is not blocking Cloudflare ips, iptables too i dont see any block to Cloudflare ip in my firewall. The web server is apache with a fresh installation of nextcloud. I cant figure out why this is happening.

This is my htaccess

<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
    <IfModule mod_lsapi.c>
      SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
      RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers

    # Avoid doubled headers by unsetting headers in "onsuccess" table,
    # then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
    Header onsuccess unset Referrer-Policy
    Header always set Referrer-Policy "no-referrer"

    Header onsuccess unset X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"

    Header onsuccess unset X-Download-Options
    Header always set X-Download-Options "noopen"

    Header onsuccess unset X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"

    Header onsuccess unset X-Permitted-Cross-Domain-Policies
    Header always set X-Permitted-Cross-Domain-Policies "none"

    Header onsuccess unset X-Robots-Tag
    Header always set X-Robots-Tag "none"

    Header onsuccess unset X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"

    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif|png|jpg|ico|wasm|tflite)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>

# PHP 7.x
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

# PHP 8+
<IfModule mod_php.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>

<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddType application/wasm wasm
  AddEncoding gzip svgz
</IfModule>

<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>

<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
  RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>

AddDefaultCharset utf-8
Options -Indexes
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 //
ErrorDocument 404 //

Allow from 173.245.48.0/20
Allow from 103.21.244.0/22
Allow from 103.22.200.0/22
Allow from 103.31.4.0/22
Allow from 141.101.64.0/18
Allow from 108.162.192.0/18
Allow from 190.93.240.0/20
Allow from 188.114.96.0/20
Allow from 197.234.240.0/22
Allow from 198.41.128.0/17
Allow from 162.158.0.0/15
Allow from 104.16.0.0/12
Allow from 172.64.0.0/13
Allow from 131.0.72.0/22

and i did a traceroute when proxied in case

traceroute to cloud.gferreiro.com (104.21.35.213), 64 hops max
  1   192.168.0.1  0.424ms  0.295ms  0.296ms
  2   10.24.80.1  13.742ms  11.104ms  13.325ms
  3   *  *  *
  4   *  *  *
  5   195.10.44.1  17.397ms  17.922ms  17.879ms
  6   195.2.30.185  40.798ms  41.856ms  43.852ms
  7   195.2.30.210  30.230ms  33.299ms  35.711ms
  8   195.2.21.186  44.179ms  40.358ms  39.633ms
  9   195.2.19.106  40.980ms  39.632ms  44.876ms
 10   188.114.100.9  43.004ms  40.380ms  40.076ms
 11   104.21.35.213  38.264ms  39.000ms  39.943ms

Thanks for your time.

#2

Greetings,

Thank you for asking.

I am sorry to hear you are experiencing some Error 522 from time to time.

Do they occur when you are downloading and/or uploading something? :thinking:
If the download or uploading process exceeded the default 100s set at Cloudflare, that might be the cause of it.

Furthermore, before moving to Cloudflare, was your Website working over HTTPS connection?

May I ask what SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

#3

Hi! Thanks for your reply.
Upload and download speeds are correct if I put DNS only, if I toggle the proxy button it straight goes to error 522.
The thing I didn’t mention was, that I’m using Nginx proxy manager, and yes, it works with https if I put DNS only.
The installation of apache and nextcloud is fresh, not a lot is configured. I use SSL/TLS in full with self signed certificates with lets encrypt. If you need me to provide any configuration file im willing to post it.

#4

Are the files large by the file size? And what kind of type are they, zip, video mp4 …? :thinking:

#5

I just uploaded a 2GB file fine with DNS only toggled. When I toggle proxy, it doesnt even connect to the server.

#6

Right, here is the trick.

Per default, you are allowed to upload 100MB for proxied :orange: hostname (DNS record) in a single request.

Cloudflare limits the upload size (HTTP POST request size) per plan type:

  • 100MB Free and Pro
  • 200MB Business
  • 500MB Enterprise by default. Contact Customer Support to request a limit increase.

Source article:

Otherwise, if you are on Business or Enterprise plan, you can increase this (Business up to 200MB and Enterprise 500MB or larger upon request) and upload larger files.

I’d suggest you to either split it in smaller chunks, or continue using unproxied :grey: (DNS-only) hostname (DNS record) when you are uploading such large files. After you finish, switch back to :orange:.

1 Like
#7

Oh, thats nice to know. But the thing is that i cant even get to the login screen when proxied, i dont know if this is the case or is another.

#8

:+1:

That’s a bit weird :thinking:

#9

Didn’t Let’s Encrypt issued a valid SSL certificate which covers your domain and/or naked-domain + sub-domains (if used them)? :thinking:

You could determine this by:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS without any error
  4. Check with your hosting provider / cPanel AutoSSL / Let’s Encrypt / Certbot / ACME and renew it
  5. Only then, when your website responds over HTTPS, you should un-pause Cloudflare and double-check your SSL/TLS setting to make sure it’s Full (Strict).

Can you re-check if your SSL certificate is a valid one for your domain name?

What do you got when you run below command in your terminal/console - just change example.com with yourdomain.com and 123.123.123.123 with your origin hosts/server IP:

  • curl -svo /dev/null --resolve example.com:443:123.123.123.123 https://example.com/

If true and if the SSL cert is valid or if you can get a valid one with LE, (not sure why LE issued a self-signed one?), what happens when you switch from Full to Full (Strict)? :thinking:

#10

Okay, i did test all the things you wrote, i can connect without problems and i have a https connection. I only have one certificate its for a subdomain, its cloud.gferreiro.com.

For the command you gave me, this is the output.

[email protected]:~$ curl -svo /dev/null --resolve cloud.gferreiro.com:443:84.127.195.218 https://cloud.gferreiro.com/
* Added cloud.gferreiro.com:443:84.127.195.218 to DNS cache
* Hostname cloud.gferreiro.com was found in DNS cache
*   Trying 84.127.195.218:443...
* TCP_NODELAY set
* Connected to cloud.gferreiro.com (84.127.195.218) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2477 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [110 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=cloud.gferreiro.com
*  start date: Feb 14 16:00:54 2022 GMT
*  expire date: May 15 16:00:53 2022 GMT
*  subjectAltName: host "cloud.gferreiro.com" matched cert's "cloud.gferreiro.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5628e425fe30)
} [5 bytes data]
> GET / HTTP/2
> Host: cloud.gferreiro.com
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [265 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 302
< server: openresty
< date: Tue, 15 Feb 2022 02:36:35 GMT
< content-type: text/html; charset=UTF-8
< content-length: 0
< location: https://cloud.gferreiro.com/index.php/login
< referrer-policy: no-referrer
< x-content-type-options: nosniff
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-robots-tag: none
< x-xss-protection: 1; mode=block
< set-cookie: oc8hyfzc1y7e=cr86crp6mn30toqn1nbdg7r4eq; path=/; secure; HttpOnly; SameSite=Lax
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< set-cookie: oc_sessionPassphrase=Jg%2FCi1b4LcbYHlr%2F1P%2FA%2Fd5njy6jKdlCjyA4QR6%2FT5lDfd8f31VcAFnfmU1oPoQ7IEZdtSw4oAyN6K5ZzhlvjtSA4GIJvZ2BRDdi0lt77lytTLIfWP%2BO4axpdmWwXh4h; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: oc8hyfzc1y7e=ndbauesof2vqugmk1t9ui6i3n3; path=/; secure; HttpOnly; SameSite=Lax
< content-security-policy: default-src 'self'; script-src 'self' 'nonce-SjhRUGJsTVpKc2dxSFd6QzBLQzZZRTFmN0hPR01yTCttalNJUWpHVzVxcz06YnZ4bFh3TWdFSkpDVVMySjU4TElPaFVlaVNYdEF2eU13RmJsZFFQRjBlND0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< x-served-by: cloud.gferreiro.com
<
{ [0 bytes data]
* Connection #0 to host cloud.gferreiro.com left intact
#11

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.