Hello,
I’m hosting 2 websites both with Cloudflare DNS. One is using the proxy option to hide my IP address, the other is not. The one that is not using the Cloudflare proxy is working fine 100% of the time. The one behind the proxy sometimes has issues with 521 http errors.
If you spam that website a hundred times, you should get the infamous HTTP 521 at some point, although sometimes it will work for 100 times in a row and then fail for 10 times in a row. It’s been doing this for months and I recently started investigating.
From the web server (I’m self hosting), when the error 521 happens, there is nothing. The connection doesn’t reach the web server. So I decided to run a packet capture on my router (running OPNsense) on all interfaces with a filter for Cloudflare IP ranges and I’m no network expert but I was able to get a capture with 3 tries to reach the website where the first try worked and the second and third try failed. I’m just not sure how to interpret what is going on here but from my understand, Cloudflare does knock on my router and this is where I suspect something goes wrong. Here is the capture in a text format, I can provide pcap files as well if needed: wanpppoe0 2024-03-1123:01:08.344339 length 103: (tos 0x0, ttl 127, id 4962 - Pastebin.com
10.0.0.0/8 is my local network. Any help debugging this would be appreciated.
It seems like you’re experiencing intermittent HTTP 521 errors, which indicate that Cloudflare is unable to establish a connection to your server. Here are some steps to troubleshoot the issue:
Check your server’s firewall settings to ensure that it’s not blocking Cloudflare’s IP ranges. You can find the list of Cloudflare IP ranges here.
Ensure that your web server (Apache, Nginx, IIS, etc.) is running and there are no issues with the service.
Verify that there are no network issues on your server’s end that could be disrupting the connection.
If you’re using an SSL certificate, make sure it’s valid and properly configured on your server.
Review Cloudflare’s Community Tip for Error 521 for additional troubleshooting steps.
I should have specified, I did read the FAQ about the error, but just in case:
if the firewall had actual rules to block Cloudflare, it wouldn’t be intermittent
server is running, works without the proxy, and as specified the requests don’t reach it when we get the errors
no network issues that I am aware of, I have monitoring tools and the website without the proxy wouldn’t work if it was purely network related
not sure how the SSL certificate could be linked to intermittent 521 errors but you have the URL, if you think the certificate isn’t right, let me know
already done
I need help with the packet captured from the router to better understand why the requests sometimes don’t reach the server.
It seems like I need a business account to open a support ticket, which I don’t have. I uploaded the files on filebin instead, here: Filebin | anhs2e5capz1wtjm
This is a filtered pcap with Cloudflare IPs, some information on what is going on within my network might be missing, I can provide additional captures without filters if required. This should be at least enough to see if there are indeed 3 requests coming from Cloudflare for the web server (could be more requests since it’s a public website but only 1 request reached the web server while at least 2 didn’t reach it).
Error 521 occurs when the origin web server refuses connections from Cloudflare. Security solutions at your origin may block legitimate connections from certain Cloudflare IP addressesOpen external link.
I uploaded the pcap files as suggested by your colleague (oshariff). Yes, the web server is responsive, there are no errors on the server when the issues are happening since the requests don’t reach the server, the IPs are not blocked or rate limited.