Site set up to redirect to https but reports 521 on browser access but the server is actually alive


#1

crypto attributes as follows:

  1. always use https
  2. hsts (and the site accepted on hstspreload.org
  3. automatic https rewrites
  4. minimum tls 1.2
  5. tsl1.3 - enable+0rtt
  • every other setting as standard
  • server is running nginx
  • nameservers are set to cloudflare.
  • cloudflare site status is active

nginx error log reports no activity when accessing the site

switching nameservers back (that is, removing the cloudflare influence), the site works as intended on http.

I am at a loss from this point. Would appreciate some guidance.


#2

zone records on digitalocean are:

$ORIGIN some-domain.com.
$TTL 1800
some-domain.com. IN SOA ns1.digitalocean.com. hostmaster.some-domain.com. 1532938415 10800 3600 604800 1800
some-domain.com. 1800 IN NS ns1.digitalocean.com.
some-domain.com. 1800 IN NS ns2.digitalocean.com.
some-domain.com. 1800 IN NS ns3.digitalocean.com.
some-domain.com. 1800 IN A 128.199.255.157
www.some-domain.com. 1800 IN CNAME some-domain.com.

I’m wondering if it’s the CNAME causing the problem?


#3

What’s your SSL setting? (Flexible, Full, Full (strict)

Try to connect to your domain with cURL or telnet. Mostly 521 is caused when CloudFlare IPs ate blocked or your origin refuses connections on port 80 or 443


#4

Mark

What’s your SSL setting? (Flexible, Full, Full (strict): Full(Strict)

curl output as below:

curl https://forextickler.com
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

curl http://forextickler.com
✔ :(master) trust_accounts$ 

No entries in access.log or error.log

Also, SSL has not been implemented between Cloudflare and the origin server.

Active firewall is:

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 21                         ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    Anywhere                  
[ 3] 80                         ALLOW IN    Anywhere                  
[ 4] 443                        ALLOW IN    Anywhere                  
[ 5] 2812                       ALLOW IN    Anywhere                  
[ 6] 7474                       ALLOW IN    Anywhere                  
[ 7] 21 (v6)                    ALLOW IN    Anywhere (v6)             
[ 8] 22 (v6)                    ALLOW IN    Anywhere (v6)             
[ 9] 80 (v6)                    ALLOW IN    Anywhere (v6)             
[10] 443 (v6)                   ALLOW IN    Anywhere (v6)             
[11] 2812 (v6)                  ALLOW IN    Anywhere (v6)             
[12] 7474 (v6)                  ALLOW IN    Anywhere (v6)

Result of browser access:

Regards