Proxy traffic through cloudflare CDN to my HTTPs server fails with 521

Hey,
I’m trying to expose my HTTPs server via Cloudflare.
So, I did everything - I bought a domain and redirected it to my application, and also used “lets encrypt” certificate in order to serve my application in HTTPs.
Now, whenever I use port 443 I get 521 from Cloudflare but if I switch to another port supported by Cloudflare, for example 8443, it works.
Can anyone shed some light on this?

Domain name?

1 Like

There are also some tips here:

Hey,
You can try accessing https-test.eden-test1.com in port 443 and check that it doesn’t work.
I’m investigating it in the moment, but the server should be up most of the time.
Please lemme know if you need more details on the subject.

Thanks!

Sorry the domain was wrong you should access test-server.eden-test1.com in order to check since the certificate is registered on this domain.

What port are you using on your origin? Have you set any origin rules in Cloudflare?

(Yes I can see it’s only working on 8443).

curl -I https://test-server.eden-test1.com
HTTP/2 521
date: Thu, 16 Nov 2023 09:38:32 GMT
content-length: 0
cache-control: no-store, no-cache
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vKmFs02T2e1eBk6FpWJijYYBInbFs3Tr0UTEQa4jfgLohai0ugDQumWCEppCMq7fh8%2BB1OUcKv2eLt7fJceW4dGbSjrTm8rcvGxyh3ZJQ21q8kbx6XyWLPQ84KsmusnnvgcKK%2FgPkkixA8G%2Fb6oZD4eOfuYj5mCJZg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 826ec2fb1ff06536-LHR
alt-svc: h3=":443"; ma=86400

curl -I https://test-server.eden-test1.com:8443
HTTP/2 200
date: Thu, 16 Nov 2023 09:38:50 GMT
content-type: text/html; charset=utf-8
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7E%2Big0FeE%2BH2tsfYG%2FfyYRFFwr9Af9tkMCOh%2BJGau1pAPoKqayFFHvWmGAob%2B1YTndB%2FyFHUmucbbv6OvTDsmiDWHKMbmSCE4hj7p%2F9rHZ6X%2BrOcJW3ziDnZOYqYsVj3k8fHupSJAg2cQVUdkaaKFlWYChoA9GJNw6Uvydlx"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 826ec3674aef6536-LHR
alt-svc: h3=":8443"; ma=86400

Right now my I duplicated my application in my origin server to listen on both ports - 8443, and 443 in order to test it more easily.
Besides this, I don’t have any origin rules in Cloudflare.

I also ran tcpdump on my origin server and tried to capture traffic in port 443 and it seems that my origin server doesn’t even get it, so it made me think that the traffic might be dropped before even getting to my origin server.

Can you make another DNS entry, say test2.eden-test.com that is unproxied that will connect direct to your origin? (Open any firewall to the relevant ports) - you can delete once the test is done.

Is your SSL/TLS setting set to Full (strict)?

So I created another A record without the proxy option (DNS only), you can try and access it in test2.eden-test1.com/. It seems to be working although the connection isn’t secured since the certificate was registered on test-server.eden-test1.com.
Also, I’m using the flexible mode, which also makes me wonder how the encryption works, would it be encrypted from the client to Cloudflare with Cloudflare’s shared universal certificate, and between Cloudflare and my origin server is by my origin server’s certificate?

BTW, thanks for all the help!

That’s your problem. Switch to Full (strict) (or temporarily Full if your origin certificate has issues).

On Flexible the connection from Cloudflare to your origin is over HTTP. Full and Full (strict) use HTTPS between Cloudflare and the origin.

You can see your origin returns 502 to HTTP connections, but 200 to HTTPS. Cloudflare’s proxy is seeing your 502 (as it’s connecting over HTTP) and returning an error to the client.

curl -I http://test2.eden-test1.com
HTTP/1.1 502 Bad Gateway
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Referrer-Policy: same-origin
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Proxy-Status: Cloudflare-Proxy;error=connection_refused
Cf-Team: 1c7932316d000065361b1b1400000001
Content-Length: 10160
Date: Thu, 16 Nov 2023 10:06:56 GMT

curl -I --insecure https://test2.eden-test1.com
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.9.16
Date: Thu, 16 Nov 2023 10:08:17 GMT
Content-type: text/html; charset=utf-8
Content-Length: 870

curl -I --insecure https://test2.eden-test1.com:8443
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.9.16
Date: Thu, 16 Nov 2023 10:08:28 GMT
Content-type: text/html; charset=utf-8
Content-Length: 870

I also read that this is the expected behavior, but I started wondering why 8443 works as expected, since I do see that connection is secure and the certificate of my origin server is presented in the browser.
Do you have any thoughts on this?
BTW, if I would’ve used full(strict) or full than what I said in my previous message is correct? i.e. the connection between the client and Cloudflare is using the certificate in Cloudflare (in default it’s shared universal one), and the communication between Cloudflare and my origin server is done with the origin server’s certificate right?

I switched to full(strict), but it still didn’t work with my Let’s encrypt certificate, so I created an origin server certificate in Cloudflare, and put in my server.
Now, everything seems to work properly, but the certificate seems to be issued by Let’s encrypt, does it make sense? I removed the old certificate from my server, and I used curl to validate that there’s no cache (even added the no cache header), but it seems that the issuer is still Let’s Encrypt.
BTW, if I just go the IP of my server directly I can see that the issuer is Cloudflare, so I’m not sure what happening here.
I’m now trying a different computer to be positive that there aren’t any caching in the way.

LetsEncrypt is one of the CAs used by Cloudflare…

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.