SSL Handshake Failed 50% of the time

Could you check whether you have a Web Application Firewall (or similar security software/feature) at your origin server which might inadvertently blocking/dropping connections from Cloudflare IPs? You might want to add the CF-RAY header to your logs if you haven’t done so. You can then correlate the CF-Ray response header seen by the client/browser to the CF-Ray request header your origin server were seeing.

If this is the case, the connection dropping might explain the different 5xx Error seen. If your origin server/network dropped the connection before the TCP handshake completed, it may surface as 522 Error . Meanwhile, if connection dropped before the SSL handshake is completed, it will surface as sporadic/intermittent 525/526 Error. If the connection dropped after we sent our HTTP request, it might surface as 520 Error. And, if it happens after your server sent HTTP header and some content, it could be seen as Error 524.

Because Cloudflare operates as a reverse proxy the IP address your server will see is one of a limited number of Cloudflare IPs. In that sense, many actual visitors may all come from the same IP address, which can cause firewalls or security software that is not appropriately allow-listing the Cloudflare IP ranges to block this traffic as it may see it as excessive or malicious. We publish a full list of our IP ranges here so that you can allow-list:

https://www.cloudflare.com/ips

I would make sure that your hosting provider confirm that the Cloudflare IP ranges listed in the URL above are fully allow-listed from any security software, firewall etc. to ensure there is no rate limiting or blocking of our edge servers. This should ensure that Cloudflare can consistently make a connection to your origin server to retrieve content and serve it to your visitors.

Cloudflare is a reverse proxy, so when someone visits your website while you’re using Cloudflare the visitors would appear to be coming from our IP addresses. You can resolve this by using the cf-connecting-ip HTTP Request headers we send along to be used on your security software.

I hope you find this helpful and helps you find whatever is blocking Cloudflare’s requests and resolve the issue. Here’s a similar example from Cloudflare Community: https://community.cloudflare.com/t/intermittent-525-ssl/275060/33

2 Likes