Fetch from AWS API Gateway fails from worker with Error 525 revealing the origin URL in error page

I have a worker that get its data from a AWS API Gateway endpoint.

While this works fine in the online Worker Editor , when it deployed and worker endpoint is invoked from outside world it fails with following error :

Error 525 Ray ID: 48c3984a64e49668 • 2018-12-20 16:48:09 UTC

SSL handshake failed

AWS endpoint is in following format XXXXX.execute-api.us-east-1.amazonaws.com

I have verified from browser by hitting the origin directly that the certificate is at-least valid for Chrome browser (The cert itself appear to be a wildcard one , one served for all *.execute-api.us-east-1.amazonaws.com endpoints). As per the help page for 525 , there will be other issues like cipher suite used by AWS may not be supported by CF , that is something I need some help from CF to check.

Second problem is , the error page shown to end customers is revealing the origin in error page. I’m hoping to use CF rate limiting to protect the endpoint and don’t want anyone else to know the real URL. So I would like to know how I can stop CF from doing this.

Any help / pointers on this are highly appreciated.

Assuming there is something wrong with wildcard cert AWS presents , I created a custom domain and applied a custom certificate to it. Started using that endpoint in the worker, again works all fine from the Editor but in real world fails with following -

TypeError: Too many redirects.; urlList = ORIGIN_URL ,…ORIGIN_URL … 21 times


Little more about the custom domains , its a subdomain in my site (copy-paste.net ) created as CNAME to the AWS cloudfront subdomain they generated for me and installed custom certificate on.
I can access that url directly from browser and curl and dont see any redirections there.

for the SSL handshake error I believe there is something messed up with AWS Virginia data center endpoint for my service , I also have this service in other data centers and the worker fetch works fine with that URL.

As of today , none of the URL ( I have the service in around 10 AWS regions ) work. I really don’t know what is with the AWS URL that CF doesn’t like !

Final Update
Silly me, my understanding of SSL options (OFF, Flexible, Strict, Full) in CF dashboard was all messed up , thing which I should have read first. On setting it to Full I’m able to fetch from AWS API gateway from my worker.

1 Like

@abhiapsunde thank you so much! Setting my SSL mode to Full solved this issue for me as well.

Instead of connecting to an AWS API Gateway, I was connecting to an external Heroku instance.

I’d love for someone from Cloudflare to explain what’s going on here, as this was really, really difficult to track down. All of these requests work as expected locally and from other servers, just not when run from within my Cloudflare workers…

Same here. Spent a long time figuring it.
But that “fix” doesn’t work for me, I need the “flexible” setting for an other use case :sweat:

You can configure SSL TLS settings per path using Page Rules, my recommendation would be to have it to highest possible setting (ideally Full (Strict)) and the lower it for the specific paths or subdomains if there is no other way to add a certificate at the origin.

Most often, if the origin supports HTTPS and correctly redirects to it, the redirect loop is caused by the fact that Cloudflare asks the origin for the content via HTTP, it gets a redirect to the HTTPS page, which is the same the user is already on, causing a redirect to itself, forever.

Check your settings for authenticated pulls, I’m seeing toggling that can have an effect on the workers…even though it shouldn’t because with my understanding authenticated pulls is only used in conjunction with a server and workers/routes are supposed to be above a server and not touching the server.

Hello !
I am having the same issue. Did someone from clouflare have a look into it ? I don’t see any reason why a worker should not be able not fetch an HTTPS url, whatever the SSL mode is for the website…