I’ve gone to “WAF > Tools” and added an IP address and selected Allow. I don’t want any request from this IP address to be blocked by Cloudflare for any reason.
But even after waiting 5 minutes, I still get 520s from Cloudflare when I make a cURL request from this IP. The same cURL requests works from my local machine (and several other machines) so I’m confident my origin server is healthy.
A 520 reflects some difficulty between the Cloudflare edge and your origin server, at which point WAF has already allowed the request. You’d get a 403 if WAF blocked it.
Troubleshooting a 520 is rather challenging, because origin servers may have totally different configurations. You could this community for topics related to 520, and use the search advanced feature to filter only resolved topics. This might lead you to cases where disabling HTTP/2 to origin solved the problem, or disabling HTTP/3, or changing some server configuration. I’ve seen someone claim it was a WordPress plugin that was changing the URL in a way that the server wouldn’t understand etc. etc.
You can use the new Trace (beta) feature, available at the Dashboard > Account page, to trace internally your request and see if that gives you an idea whether the specific request is triggering any rules that may be playing a role here.
Also, you can try the Dashboard Analytics to see if it returns the origin status code that is associated with the edge status code 520.
Please see if you can edit the title of your post, so that it properly reflects your search for 520 troubleshooting, so that it gets the attention of the right set of eyes. (If you can’t, flag your own post with the “other reason” and ask mods to change the title for you.)
If I get a 520, can I be certain CF attempted to hit my origin for this request? Or could there be any reason that CF didn’t even attempt to hit my origin server? Like for example if CF sees too many requests from an IP getting dropped by my origin server in a short span of time, could CF just “give up” on serving requests from this IP until some time has passed (and return 520s without hitting origin)?
The reason I ask is because I saw a spike in 520s last night. I dug into my analytics and noticed a very high variance between IPs and how many 520s they received. In other words, requests from some IPs were nearly always getting 200s and requests from some IPs were nearly always getting 520s. I don’t have any IP specific logic in my origin server afaik. Eventually the problematic IPs started getting 200s again without any change from my side.
If we operate under the assumption that my origin server was temporarily overloaded and CF was attempting to hit origin for every request, I’d expect 520 responses to be spread uniformly across all IPs. But this doesn’t appear to be the case.
Are you certain that requests coming from the IP that gets 520 do not also contain some element that might potentially trigger the error? Such as HTTP version, compression, or whatever other factor the origin server may have an issue with?
I’m just speculating here, as I’m far from being qualified to discuss server issues. I’m just raising the idea that perhaps you should investigate request details other than IP address per se.
Let’s hope someone with server admin expertise join in and give your more specific suggestions.
As you rightly pointed out, it was a problem with my infrastructure upstream. Specifically, an issue with my load balancer and how it was routing traffic. I don’t think the details are relevant here, but bottom line: nothing wrong with CF.