Issue to connect CF to AWS Load Balancer Error 522


I can’t fixe an issue with DNS records.
My application is hosted in AWS with this architecture

Client –https–>CloudF –https–>AWS LoadBalancer —http–> My app

When I put a DNS record :

  • A points to 52.XXX.XXX.XXX (IP address of the load balancer)* => Everything is working well
  • When I choose a record CNAM is an allias to (address of my load balancer) => I have an Error 522
  • When I connect directly using HTTP or HTTPS to 52.XXX.XXX.XXX or => It is working, I have only an alert message when I connect in HTTPS about the certificate.

Unfortunately, my LoadBalancer IP address is not static, it is why I need to use a CNAME Flattening record.

I tried :

  • Obtain a static IP address for the LB => Not possible
  • Use Cloudflare Crypto with
    • Off, Flexible, Full SSL mode ;
    • Always use https : On or Off
    • I tried with all Minimum : TLS Version
    • Automatic HTTPS Rewrite : On or Off
  • I have checked the Origin web server TLS/SSL ciphers supported by Cloudflare

But nothing is working :frowning:

I have red :

Thank you for your help !


This is the right setting but your server is blocking Cloudflare. Whitelist CF IPs.

Thank you for your help! Unfortunately, I put in WhiteList all inbound/outbound traffic for all protocoles. I have still the same issue. I was wondering:

  • The CNAME will “consider” the alias address in http or in hhtps ?
  • A certificate between CF and AWS, I use the Origin Certificates with the hosts (*,, is it the right certificate ? I can’t generate a certificate with AWS ; I think is not a certificate issue because when I am using DNS A rule pointing to the IP everything is working well.

CNAME has nothing to do with protocol. It is about IP. If you have a CNAMe like this:
CNAME x point to y
It just says wherever y resolves, x would. So if y points to then x resolves to too. This makes maintenance easier. Set an A Record to and for other entries use alias (CNAME). If a change in A record is needed other record don’t need any change.

A certificate belongs to a domain and everyone connection to that address is a client. So here CF is the client and your server should be equipped with a certificate. Which certificate? Depends on how you set domain name for your server. According to your design SSL for * will do that (considering your server is at *

I suggest these steps:

  1. Put NS records of Cloudflare to :grey: instead o:orange: for now,
  2. Set NS records for your back-ends (LB etc)
  3. Manually test if the above addresses work under https in browser (domains resolve and has a valid SSL)

After #3 you can proxy traffic through Cloudflare (orange cloud :orange:) and check if anything goes wrong.

Now you have problem with #2 to define a CNAME for load-balancer (LB). When you set the CNAME using default TTL your server IP changes before TTL expires and domain points to the wrong IP. Also check this thread.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.