Fixing Error 522 / Connection timed out — Closed afaik

DNS & Network
#1

Hi,

I’ve set up [ourdomainname] years ago. I’m not the owner, just keeping it up to date, making backups, etc. When the site suffered from ddos-attacks, I set up a cloudflare account and obviously that worked great, until now. Also, the hosting was upgraded to a vps.

Since this weekend, I found out the site is extremely slow and most of the time my browser isn’t even loading a page at all and shows a 522 error:

(cloudflare time out message pointing to original server screendump was here)

Steps you’ve take to fix it. What CommunityTips, ExpertTips, videos, directions, instructions, and advice you’ve followed to try & fix the issue?
I checked the Wordpress app > Statistics to see how many visitors there were. There were only 50 visitors per day and about 175 page views. These are very low numbers for this site and I think for any hosting. These numbers can’t be the problem.

So I asked the hosting service if there was a problem with the server, showed them the error 522 info, and they said the original server was running fine.

There were many xmlrpc calls though:

108.162.215.161 - - [04/Oct/2021:16:53:05 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:06 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 0.312 - [04/Oct/2021:16:53:06 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:07 +0200] [www.[ourdomainname][ourdomainname]](http://[ourdomainname]strong text/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:07 +0200] [www.[ourdomainname][ourdomainname]](http://www.[ourdomainname][ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:09 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 0.288 - [04/Oct/2021:16:53:10 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:11 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:11 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:11 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:13 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:13 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:13 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 0.356 - [04/Oct/2021:16:53:16 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:16 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:17 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 0.340 - [04/Oct/2021:16:53:18 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:19 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:19 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:20 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:21 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:21 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:22 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 0.308 - [04/Oct/2021:16:53:22 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:23 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:24 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"

108.162.215.161 - - [04/Oct/2021:16:53:24 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
[etc]

But since I’ve set the .htaccess to deny those years ago, I assume these can’t do much harm.

So I pinged [ourdomainname]. The numbers were fine:
64 bytes from 172.67.176.127: icmp_seq=72 ttl=55 time=13.533 ms
64 bytes from 172.67.176.127: icmp_seq=73 ttl=55 time=11.318 ms
64 bytes from 172.67.176.127: icmp_seq=74 ttl=55 time=11.632 ms
64 bytes from 172.67.176.127: icmp_seq=75 ttl=55 time=20.778 ms
64 bytes from 172.67.176.127: icmp_seq=76 ttl=55 time=11.707 ms
64 bytes from 172.67.176.127: icmp_seq=77 ttl=55 time=13.613 ms
64 bytes from 172.67.176.127: icmp_seq=78 ttl=55 time=11.225 ms

Then again, I’m not sure if this is the original server pinging back or just the cloudflare server?

So I logged into our CloudFlare account and read up about 522, but the points mentioned seemed less likely (cloudflare IP adresses blocked etc) unless the host has changed these recently.

So I tried the ‘Under attack mode’, but this didn’t fix it, for me at least.

Purged the cache, just to be sure. Didn’t make a difference.

Disabled the dns A record proxy → then everything worked fine!

However, this exposes the original IP, so I switched it back on. However, I still don’t understand what is going wrong and how to analyse this the right way.

#2

I am sorry to hear that, but that seems to me as a great potential of a WordPress DDoS attack someone tried :slight_smile:

I would strongly recommend to create a Firewall Rule to block each URI request which contains xmlrpc.php - of course, if you do not use it (or any other plugin).

Furthermore, there are some more suggestions how to protect WordPress website using Cloudflare :wink:

Therefore, some Firewall Tips are published here:

Depending on the attack type, if user-agents, crawlers, etc., there are few I would recommend to add to your Firewall Rules , like the posted here:

Using the search :search: :

May I suggest looking into below articles (if not already) due to the specified issue of 522 timeout:

https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error

How about checking if Cloudflare is allowed to connect to your new VPS, in case any firewall settings/configuration changed?

Kindly can you re-check if Cloudflare is allowed to connect to your origin host to as follows in the below article:
https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

Nevertheless, Cloudflare IP addresses list can be found here:

In case you saw Cloudflare IP addresses in your log files, I would recommend below article to restore the original visitor IP address as follows:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

#3

I’m not surprised there attacks, mainly from far away countries, but I don’t understand why, according to the Firewall Events list, what seem to be ‘honest’ Dutch visitors are blocked.

Even I get blocked, even when the javascript challenge is active.

#4

Hm, maybe if running pure WordPress without a decent cache plugin, or?

Again, xmlrpc.php if so:

#5

Running WP with cached pages.

#6

Already disabled via .htaccess

I’ll look into how to set up a firewall rule for it on cloudflare though.

#7

Somewhere above, you mentioned some maintenance work from your hosting provider, or changing/upgrading the VPS? Maybe that could be one reason too.

#8

Btw if it says “Empty query string” in the JS Challenge protection / Firewall events. Does that mean that the user didn’t fill out the form? Because I can see my own IP with that remark in the list, while I did click the JS Challenge images.

#9

Hm, one thing also comming to my mind, may I also ask which SSL option have you got selected under the SSL/TLS tab of Cloudflare dashboard for your domain? (Flexible, Full, Full Strict …)

#10

It’s on ‘Flexible’. (I didn’t touch most settings)

#11

The host vps was, as far as I can find out, not changed, except for the conditions of the subscription.

Meanwhile I added the xmlrpc block to the firewall. (around 10:40 on 211006)

Then I tried the Speed (test). It says:

The Speed test could not run.

[ourdomainname] returned a status 200. Try the options below to fix the issue.

1 Review the configuration between your origin server and Cloudflare and ensure that the origin resolves requests successfully

I don’t know how to review this. I haven’t changed anything to the basics, nor has the origin IP changed.

2 Review any existing Firewall Rules applied to your website which may be blocking access to ‘Known Bots’

→ I assume speed test does not require xmlrpc.

3 Contact [Customer Support] → I guess it’s time to contact them. Expect that I can’t find any form or mailaddress…

#12

Meanwhile, I’ve done a lot of testing and found some clues, despite our very unhelpful hosting company.

Long story short, I noticed that W3 Total Cache is active but still the site is very slow, even with the cloudflare proxy off, even while there are very little visitors and while there is no attack or whatever.

Then I found out Memcache is selected in our site’s W3 Total Cache plugin settings, but not available. Even though in the hosting vps manager settings, Memcache for W3 Total Cache is activated.

So I switched the W3 Total Cache setting for objectcache to ‘Disk’ instead of ‘Memcached’ and now it’s way more responsive…

Even better: It’s much faster and no more blocking me with the cloudflare proxy actived!

So I think I have found the spanner in the works. Well part of it.

Still think this is weird because this Memcached was not working for months without giving these problems. Maybe the combination with http3 that is now activated on cloudflare?

#13

This should be fixed.
In case you do not have an SSL certificate, you can use Cloudflare SSL, if so, kindly make sure you follow the instructions as follows on the below article to setup an SSL certificate using Cloudflare CA Origin Certificate:

Kindly have a look here for more information regarding correct SSL settings:

Try this:

Some other helpful information other users reported:

Depending on your hosting provider and options available to you (like Redis and Memcached - even Disk Cache / Page Cache sometimes have troubles on shared hosting, kindly consider this one - here is also how to setup the Cloudflare with it under 14th section (including Page Rules):

#14

same here, just from this afternoon.

#15
  1. Meanwhile, I managed to have the hosting compagny fix the memcache / memcached error in wordpress. Turned out the php memcached extension was only installed for php 8. Not for 7.x that we were using. So we switched to php 8 (stable release) since this is a matter of time anyway.

After that, in W3 Total Cache, the option for memcached was no longer greyed out. So I set it to memcached.

  1. Also, the API token for encrypted connection between cloudflare and our site could not be set. Turned out that this became possible after switching the admin language to English. Bit of a weird quirk.

Unfortunately, neither changed anything to the fact that activating cloudflare blocks our site.

We now have a payed cloudflare subscription though, so I now get ‘professional help’. First round didn’t immediately found the culprit, but I’ll keep this thread up to date.

1 Like
#16

It’s been 5 days since I received a reaction from on the ticket about this.

Our host checked and their server is using only 3% of it’s capacity – at moments it is unreable via Cloudflare.

As soon as I switch on Cloudflare, our site is unreable.

We can’t go on like this. It’s been blocking our site for 1,5 week.

My ticket number is 2276853 @MoreHelp please.

#17

My ticket number is 2276853 @MoreHelp please.

#18

Meanwhile, it’s 3 weeks later and not a clue what might’ve been the problem.

I’ve had cloudflare off because else there was almost no traffic coming through.

I decided to erase the site’s account on cloudflare and re-do it, but first test it one more time. To my surprise, now it worked fine: No delay, no blocking. :no_mouth:

IMHO there must have been some changes on cloudflare.

I’m not impressed by the cloudflare support or rather lack of it.

1 Like
#19

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.