wooninjaconnect dot com
HTTP 525 to EU Server but not USA Server
See below
Yes
Full
I’m getting a bizarre error with Cloudflare and Hetzner. A couple of weeks ago, I set up a server using Laravel Forge in the US using Custom Hostnames (my-app dot com) and an Origin Certificate (e.g. usa dot app dot com). I installed the cert, added a CNAME and it worked perfectly.
(I’m using pseudo hostnames as they are client facing, and as a new account I can only post 4. I can DM exact hostnames to CF support if requested)
Fast forward to yesterday, I set up a server in the EU, added the cert and CNAME, but I cannot connect to it via the custom hostname but I can connect to it via the origin certificate
In the EU instance, it would appear that the connection between Cloudflare and the server is failing. There are no access or error logs in the EU server when I use the custom hostname, so it would appear the connection is not even reaching it.
The nginx sets and steps I went through are identical, as far as I can tell. I’ve followed every thread I can find, including changing the SSL from Full to Strict, etc., on Cloudflare, but I cannot solve this.
Are you on an Enterprise plan to have multiple custom origins?
Please use preformatted text (ctrl+e) and share your setup with example domains like this: example.com.
I’m currently on the free plan, and my understanding was that 100 host names are included? (Plans — Cloudflare for SaaS · Cloudflare for Platforms docs)
Breaking it down, ‘my’ domain, which is hosted on Cloudflare, is wooninjaconnect.com I have two customers, assume their domains are:
www.customer-abc.com CNAME abc.wooninjaconnect.com (USA Customer)
www.customer-def.com CNAME def.wooninjaconnect.com (EU Customer)
Both are added as custom hostnames and have had SSL issued.
The USA customer is working fine, the EU customer is getting a HTTP 525 when they visit www.customer-def.com, but can access the system via def.wooninjaconnect.com and the SSL cert is valid.
I just can’t figure out why it works for the USA customer, and not the EU customer. Everything seems to be the exact same.
As an aside, the case number with Cloudflare is # : 01426489
Yes, 100 names, but only one origin (server). So how did you add the second server? You should only have the “Fallback Origin”.
Hmm, that could be it actually. In simplier terms, does this mean that I can only have one origin ‘A’ address? For example, let’s take my ‘USA’ server, assume the DNS is:
usa1.wooninjaconnect.com A 5.131.x.x
usa2.wooninjaconnect.com A 5.131.x.x
proxy-fallback.wooninjaconnect.com A 5.131.x.x
For my USA customers, they would have the following in the DNS
www.usa-customer-1.com CNAME usa1.wooninjaconnect.com
www.usa-customer-2.com CNAME usa2.wooninjaconnect.com
Are you saying that the issue is when I add my EU customer? So if I add this DNS record:
eu-1.wooninjaconnect.com A 123.456.x.x
And my customer adds their DNS CNAME:
www.eu-customer.com CNAME eu-1.wooninjaconnect.com
It is failing because I’m pointing to a different server IP in my A record?
Just to make the system clear: It does not matter to what hostname your customers point their CNAME, as long as it is to a proxied name in your zone.
All customers could use the same CNAME target, Shopify uses shops.myshopify.com for example for all their customers.
All traffic is sent to the Fallback Origin, or the custom Origins if you are an Enterprise customer.
Ok. The reason for the different CNAME targets is these represents different nginx sites on the same server.
But I still don’t understand why the “EU” SSL is failing and the USA one is not, the only difference is they are different servers and IPs, but the set up is identical.
Right now, all traffic will be sent to the same server, the US server. If the US server doesn’t have an SSL certificate for the EU customer’s domain, you get an SSL error.
Believe me, it doesn’t matter. Cloudflare completely ignores where the CNAME points.
Ok, firstly, thank you for your patience here; I really appreciate it. I’m just trying to understand this issue from all angles. This is my current understanding of how this works, and I’m guessing it is flawed:
For my customers, I set up a custom host name in CF based on their requirements. I then send those TXT details to them, the domain is verified, and Cloudflare issues a cert. My customer then adds a CNAME e.g.
www.usa-customer-1.com CNAME usa1.wooninjaconnect.com
On my US server, I have an origin cert from CF for wooninjaconnect.com. Notably, I do not have a cert which covers the US customer.
Therefore, when a user navigates to www.usa-customer-1.com, they go to Cloudflare, which terminates. It then connects to my US server, which responds with the wooninjaconnect.com origin cert. All good, all green and locked.
What I can’t understand, and again I’m sorry if I’m missing it, is why this doesn’t work for the EU server if the EU server has the same wooninjaconnect.com origin cert? Surely CF will terminate as with the US server, and then send to the EU server?
Or, is the issue that the fallback server is not the same server that the EU sites are hosted on?
There is no EU server. Again, without Enterprise, you can only have a single Server, which you have configured as your Fallback Origin. That’s where all traffic is sent.
Your US server is most likely not configured to handle the EU domain, so the SSL handshake fails.
Ok, this is starting to make sense. In other words, the only A record that matters is:
proxy-fallback.wooninjaconnect.com A 5.131.x.x
As all (EU and US) traffic is sent here. It works for the ‘US’ customers as their sites are also on this server. It does not work for the EU customers as their sites are on a different server and IP, and this record is basically ignored:
eu-1.wooninjaconnect.com A 123.456.x.x
So, in terms of a ‘fix’, what are my options here? I can upgrade to Enterprise, or is there a way to configure the server to route to the EU? Both the US and EU servers have the same origin cert for wooninjaconnect.com
However, a separate EU domain is probably the easiest as I can just set the fallback to that ‘EU’ server and keep it entirely separate.
If you wanted to keep it in the same account, you could use a Snippet/Workers to route traffic to the correct server.
But if you don’t intend to expand your amount of servers, a second domain in a second account (important, not the same account) would also work. But maintaining different configurations across multiple domains/accounts will quickly become unmaintainable and very error prone.
Ok, I can confirm Laudian’s points here are correct and solved the issue.
In summary, and I’m writing this for Google to hopefully save someone the hours this consumed me, for a given domain, e.g., example.com, there can only be one fallback. In my case, I could not have the US and EU servers on the same domain record, e.g., A records pointing to different server IPs.
I solved this by setting up a new domain e.g. example-eu.com and putting all my EU sites there, with all the A records pointing to the same server IP. Therefore the US and EU are entirely separated.
Thank you Laudian, I’d never have solved this without your input as I assume the HTTP 525 was from my server or app, and never connected this to the fallback.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
