Webservice calls failing

Getting Started
#1

Hi.
I have several customers who make webservice calls to URLs that are proxied through CloudFlare. These customers are not able to make webservice calls to these URLs when they are orange clouded. When these URLs are set to DNS only (grey clouded) they work fine. Based on the documentation I have read, I was under the impression that IP access rules configured for “allow” on specific IP ranges or an explicit IP address will allow these webservice calls to go unblocked.

The documentation states: " Another common use of IP Access Rules is to allow services that regularly access your site (APIs, crawlers, payment providers, etc)." These access rules have been configured but appear to still be blocking. When these calls are made through Postman, it works with no blocks. Any help is appreciated as I would like to proxy these URLs through CloudFlare, but it appears to be a deal breaker if I can’t get this resolved. Thank you!

image
image1273×798 42.6 KB

#2

Traffic that is blocked show show up in the Firewall Event Log.

This part is interesting. Something must be going on with those other requests to get them blocked.

#3

There are no blocks that I see in the firewall event log. The source IPs that are coming in are showing as “allowed”. Doesn’t the IP access rules allow these “requests” to not be blocked?

#4

You’d think so…but apparently that’s not guaranteed because of some other reason. You’ll have to dig around to get some more info, such as error messages from the client end.

#5

Here is a screenshot from the client end. Appears to be a 520 origin error when making webservice calls. All my customers that do webservice calls are experiencing the same thing. When orange cloud is turned off, these webservice calls are successful.

image

#6

Other than the 520 instructions I’ll link to at the bottom, you may need to open a ticket and send them the HTTP request you’re attempting to see if they know why this is failing. The firewall isn’t what’s killing this.

A 520 error occurs when the connection started on the origin web server, but that the request was not completed. The most common reason why this would occur is that either a program, cron job, or resource is taking up more resources than it should causing the server not to be able to respond to all requests properly.

Review the Quick Fix Ideas in this Community Tip for troubleshooting suggestions.

#7

I have opened a ticket but have not gotten much assistance in this. I would think if there is a resource problem on the server, we would get a 520 error when orange cloud is turned off. The resources on these servers appear to be fine. When you say “HTTP request you’re attempting”, what information would you be looking for specifically? I don’t know much about these webservice calls as I’m not the developer who works on these, I am just responsible from the CloudFlare side to make sure everything is working as intended.

#8

They’re sending a full GET or POST type of request with a set or parameters and payload. If you can add that to your Support ticket, they can hopefully test the request. I suspect you’d edit out any credentials, so it would fail that, but should still test the 520.

Can you post the ticket number here to get more eyes on the issue?

#9

These webservice requests are all HTTPS POST requests.
The ticket number I have opened is #2072148. I have emailed a few times but not heard anything back from support.

Here is a pic of some of script which may be of use to see what it’s doing and how CloudFlare could be affecting this.

image
image1600×659 40.8 KB

#10

Would also like to add that these are SOAP based webservice calls. These calls are expecting an XML response with a JSON data structure.

#11

Still need assistance with this as it’s greatly impacting my customers who are unable to make webservice calls. Any help is appreciated.

#12

Does your app Outbound HTTP requests - like SOAP which you use - support Server Name Indication (SNI)?

In the above replies you have specified the IP Access rules / Firewall / VPN, could it be this is blocking your incomming connections?

Since your domain is behind a proxy (Cloudflare), are you using the correct and compatible port with Cloudflare to connect?

Are you also running a MID Server?

You are trying to send email via connection to an domain being :orange: proxied?
Does MX record exist and is an A mail record :grey:?
Are the needed IP addressses listed and allowed to connect and send the request?
Could be some mixed content errors in between?