What is the name of the domain?
What is the error number?
What is the error message?
Error 521
What is the issue you’re encountering
we have been struggling with some intermittent Error 512 from our company servers that are on Cloudflare
What steps have you taken to resolve the issue?
I’ve cleared Cloudflare’s cache and tested using different servers behind our cloudflare domain.
I’ve also reached out to AWS Support to see if they can assist, but no positive outcome so far.
What feature, service or problem is this related to?
I don’t know
What are the steps to reproduce the issue?
Some of these servers are using just a s3 bucket with a CloudFront Distribution and some are just using EC2 servers behind Cloudflare, but all are getting intermittent Error 512’s in Singapore.
We’ve been testing on 4G in public and that’s intermittent as well as home and office broadband connection.
Our website is affected : Xctuality(dot)com
And one sample of a static site is the-sultans-palace(dot)xctuality(dot)com
I’ve been trying to get assistance from AWS, but signs are pointing more towards Cloudflare, as I’m investigating it more.
Our Cloudflare is on Flexible SSL and here’s a copy of the conversation I’ve been trying to get help with from AWS.
Any assistance on this would be greatly appreciated as this is affecting critical applications hosted on our subdomains. Thank you!
Greetings from AWS CloudFront Support team. I'm Ganchi Deepika Kumari, and I'll be assisting you with your issue.
From the case notes, I understand that you are experiencing the Cloudflare HTTP Error 521 when accessing your resources from the Singapore region. This error seems to be affecting multiple CloudFront distributions and EC2 instances, despite no recent configuration changes on your end. Please confirm if I have understood the situation correctly or provide any additional details or corrections.
==========
Analysis
==========
1. To investigate the Cloudflare HTTP Error 521 issue you reported when accessing your resources from the Singapore region, I performed additional testing to validate the scenario. Upon testing, I observed that the requests were successful, and I received a 200 OK response when accessing your resources even from the CloudFront’s Singapore edge location IPs. You can refer to the below outputs.
(for resolving your CloudFront default domain to a specific Singapore POP’s IPs)
dig +short d1qn56987oge7x.SIN2-P2.cloudfront(dor)net
(serving your distribution via one of the above Singapore POP IPs)
curl -vo /dev/null the-sultans-palace.xctuality(dot)com --resolve the-sultans-palace.xctuality(dot)com:443:13.33.88.12
* Request completely sent off
< HTTP/2 200
< content-type: text/html
< content-length: 12746
< date: Mon, 18 Nov 2024 10:37:29 GMT
< last-modified: Mon, 21 Jun 2021 08:35:56 GMT
< etag: "a6000432bad44cd389c8b9ac58aa8059"
< accept-ranges: bytes
< server: AmazonS3
< x-cache: Hit from cloudfront
< via: 1.1 cebe7291f382f643e4ea2329a2d8016a.cloudfront(dot)net (CloudFront)
< x-amz-cf-pop: SIN2-P2
< x-amz-cf-id: wavq1wOdQ3U19qcty21-LAihLOJKBQSrfSRBF_DFIu26SvSA0JteXg==
< age: 8500
<
{ [8192 bytes data]
100 12746 100 12746 0 0 49251 0 --:--:-- --:--:-- --:--:-- 49403
* Connection #0 to host the-sultans-palace.xctuality(dot)com left intact.
2. Also, investigating from our internal monitoring tools, I did not detect any occurrences of the HTTP 521 error response when accessing your resources from the Singapore region on November 18, 2024, between 00:00 UTC and 08:00 UTC (a period of 8 hours).
3. Further, analysing the DNS resolution for the provided domain ‘the-sultans-palace.xctuality(dot)com’ using the dig CLI command, I can see it is not resolving to the CloudFront IPs.
dig the-sultans-palace.xctuality(dot)com +short
104.21.234.48
104.21.234.49
It appears that the issue you are facing with the Cloudflare HTTP Error 521 may be related to the configuration of Cloudflare's DNS proxy service.
Now, although I am from the CloudFront Support team, to provide better assistance, I tried to search for the Cloudflare configuration responsible for above behavior over the Internet. The investigation revealed that under the “Proxied” mode, the client requests are first being routed through Cloudflare's DNS proxy servers before reaching the CloudFront distribution's IP addresses. This proxy layer provided by Cloudflare is responsible for handling the DNS resolution and proxying the requests..
For details into the configuration, please refer to this article for the third-party tool:
It is possible that there may be a misconfiguration or issue with Cloudflare's proxy settings, which is preventing the requests from being properly forwarded to the CloudFront origin servers or EC2 instances resulting in the 521 error.
Here, to isolate the cause of error, I recommend temporarily disabling the Cloudflare proxy functionality and configuring Cloudflare to operate in "DNS-only" mode. This mode bypasses Cloudflare's proxy servers and allows direct communication between the client and the CloudFront distribution's IP addresses at HTTP level. Cloudflare will only be used to resolve the domain to CloudFront IPs. However if the error persists, do let us know.