Website is unusable when proxying but works with DNS only

What is the name of the domain?

happ1chat.ip-ddns.com

What is the issue you’re encountering

Hi, I’m having issues with cloudflare starting from around April 29th. I either can’t access my website when it’s being proxied, or it takes several minutes to load. If the website loads, it still takes dozens of seconds to fetch additional data for some reason. Once it’s done, it’ll work fine again, until I reopen the browser. It’s so bad, that even the JWT refresh request is timing out and I have to log in again. I tried looking into requests with dev tools, but I only saw a couple 524s in there. Most of the time it seemingly just did nothing. Literally waiting minutes between requests for some reason. Nothing in the configuration has been changed before that happened, and the proxy worked fine before. I tried disabling proxying and it works, but I need proxy to redirect ports.

What steps have you taken to resolve the issue?

Attempting to fix the issue, I tried:

• Pausing and unpausing CF.
• Checking if I’m routing to correct IP in DNS (A) records.
• Generating CF signed certificate and switching from TLS full to TLS full strict.
• Rebooting my (host) device and WiFi router.
• Disabling cache.
• Disabling optimizations like quic 3.
• Setting up a whole new “domain” from a different provider.
• Clearing browser cookies and data for the website.
• Opening the website in incognito.
• Opening the website in different browsers and on different devices.
• Accessing website through VPN.

Nothing of that worked.

I’m starting to feel that this could be on Cloudflare’s side, after all. Maybe something broke for Russian (or Crimean) IPs.

At one point I even tried Fastly, which worked fine too (except for websockets because enabling them isn’t free). So it seems to me that the website might not be broken because of me specifically.

Is it just me? Where can I report this issue properly if there’s no fix?

After some testing with dev tools, it seems that a lot of requests are actually just pending, then error out with 502 or 520. This is weird, because it has never happened before, and direct IP access, even through VPN works fine.

Where are you seeing these problems?

1. What ISP / provider, preferably their AS number?
   The AS number can be found here:

• https://1.1.1.1/help
  → AS Number
• https://bgp.tools/
  → The AS number shown under “You are connecting from” like this: “Cloudflare, Inc. (AS13335)”
• https://bgp.he.net/
  → The AS number shown like this: “Your ISP is AS13335 (Cloudflare, Inc.)”

2. What country (and preferably state/region)?
   … Only from Russia?

It has been seen before that ISP’s or governments are playing games, where they are restricting access to various IP addresses from time to time.

If you’re able to see headers, and are able to see such as e.g. “cf-ray”, and others, through your dev tools, then you can rule out the ISP / government blocks of the access to Cloudflare though.

These would not typically indicate an issue with the connection from visitors to Cloudflare, where ISP / government blocks typically interfere.

Instead, they would indicate issues between Cloudflare and your own server.

I would start by checking your firewall / security systems, and ensure that none of them are blocking Cloudflare in any way.

Geo-blocking access to your server in a firewall, such as blocking foreign connections, could possibly be causing something like this.

Checking up with your server provider, to see if they (or their ISP) have some filters on foreign connections, or otherwise firewall / security systems, that are activated for your services, may be wise too.

Yalta-TV KOM Ltd. (AS57093), 1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Resolver

The “server” is located in Yalta, Crimea, but if you mean client region, it doesn’t seem to matter at all.

I don’t have any firewall at the moment. Only nginx proxy (for https), which hasn’t been changed at all. I already tried disabling too, it didn’t help.

Currently, the error rate seems to be at around 30% for no apparent reason. I tried doing manual curl request to paths that failed and got no errors.

Nope, no headers at all while the request is pending

I see the same with e.g. Firefox:

cloudflare_community_794602_firefox_secure_connection_failed847×463 18.9 KB

Running cURL though, I see a mix:

1. Some requests go through just fine (which seems to reach some “Open WebUI” instance).

$ curl -s -vv https://happ1chat.ip-ddns.com/
*   Trying 172.67.213.245:443...
* Connected to happ1chat.ip-ddns.com (172.67.213.245) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=happ1chat.ip-ddns.com
*  start date: Mar  7 22:25:18 2025 GMT
*  expire date: Jun  5 06:30:42 2025 GMT
*  subjectAltName: host "happ1chat.ip-ddns.com" matched cert's "happ1chat.ip-ddns.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ada2f28620)
> GET / HTTP/2
> Host: happ1chat.ip-ddns.com
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Tue, 06 May 2025 11:13:57 GMT
< content-type: text/html; charset=utf-8
< server: cloudflare
< accept-ranges: bytes
< last-modified: Mon, 14 Apr 2025 17:11:05 GMT
< report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=c7vL30mSduJFRl3UaxISykChLgjStsq%2BMdv9%2BR%2BZKAv%2FDJxOYZH33IHr2MSXHKwbouOlnIbHnyR%2BFeL7a3yHdV%2Fv7lGVVY1QuBilpvHdRgRdM4NiSY7AWeXbSnFENRI0LduoIJC26r0%3D"}]}
< x-process-time: 1
< cf-cache-status: DYNAMIC
< nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
< cf-ray: 93b80d17ebfb0a63-AMS
< alt-svc: h3=":443"; ma=86400
<
<!doctype html>
<html lang="en">
        <head>
                <meta charset="utf-8" />
                <link rel="icon" type="image/png" href="/static/favicon.png" />
                <link rel="icon" type="image/png" href="/static/favicon-96x96.png" sizes="96x96" />
                <link rel="icon" type="image/svg+xml" href="/static/favicon.svg" />
                <link rel="shortcut icon" href="/static/favicon.ico" />
                <link rel="apple-touch-icon" sizes="180x180" href="/static/apple-touch-icon.png" />
                <meta name="apple-mobile-web-app-title" content="Open WebUI" />

                <link rel="manifest" href="/manifest.json" crossorigin="use-credentials" />
                <meta
                        name="viewport"
                        content="width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover"
                />
                <meta name="theme-color" content="#171717" />
                <meta name="robots" content="noindex,nofollow" />
                <meta name="description" content="Open WebUI" />

[...]

        .animate-pulse-fast {
                animation: pulse 1.5s cubic-bezier(0.4, 0, 0.6, 1) infinite;
        }
</style>
* Connection #0 to host happ1chat.ip-ddns.com left intact

2. Requests that are successfully reaching Cloudflare, and apparently with an HTTP status code of 200, but where they do not seem to get a (proper) body response from the origin, in time.

$ curl -s -vv https://happ1chat.ip-ddns.com/
*   Trying 104.21.23.220...
* TCP_NODELAY set
* Connected to happ1chat.ip-ddns.com (104.21.23.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=happ1chat.ip-ddns.com
*  start date: Mar  7 22:25:18 2025 GMT
*  expire date: Jun  5 06:30:42 2025 GMT
*  subjectAltName: host "happ1chat.ip-ddns.com" matched cert's "happ1chat.ip-ddns.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x148bec0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: happ1chat.ip-ddns.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200
< date: Tue, 06 May 2025 11:51:02 GMT
< content-type: text/html; charset=utf-8
< server: cloudflare
< accept-ranges: bytes
< last-modified: Mon, 14 Apr 2025 17:11:05 GMT
< report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=IS7TnNZLd4cWtxZCXFGeYcEDrIoLtcQc5QK3PVk2p4GkY0zs9%2F0sYu3gfNC%2BPqfLL5WxqJvTBItWsZ%2FCtBoz05opHFa1PhYPQ%2F17sAIe7FfN3O6W37MGVCxM9gBciVxr8x9W6mEcIio%3D"}]}
< x-process-time: 0
< cf-cache-status: DYNAMIC
< nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
< cf-ray: 93b8436bbe24ebca-CPH
< alt-svc: h3=":443"; ma=86400
<
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* HTTP/2 stream 1 was not closed cleanly: INTERNAL_ERROR (err 2)
* Connection #0 to host happ1chat.ip-ddns.com left intact

Re-trying the unsuccessful request, I’m getting a successful request though:

$ curl -s -vv https://happ1chat.ip-ddns.com/
*   Trying 104.21.23.220...
* TCP_NODELAY set
* Connected to happ1chat.ip-ddns.com (104.21.23.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=happ1chat.ip-ddns.com
*  start date: Mar  7 22:25:18 2025 GMT
*  expire date: Jun  5 06:30:42 2025 GMT
*  subjectAltName: host "happ1chat.ip-ddns.com" matched cert's "happ1chat.ip-ddns.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x17c9ec0)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: happ1chat.ip-ddns.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200
< date: Tue, 06 May 2025 12:00:12 GMT
< content-type: text/html; charset=utf-8
< server: cloudflare
< accept-ranges: bytes
< last-modified: Mon, 14 Apr 2025 17:11:05 GMT
< report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=X7tpCkpQBT4r96X0r9XBNP%2F4hkjPdCYazgTKn5fqTJcfV5PbilZhNuQ0e0G7ZJ7YhyX%2FhljjvW%2BsfO5DRvC0OjL6ROEmswiErjBewoaieyJKoQx6uQrCufBhdFhjV%2BuA%2FGU8y9pBJ9w%3D"}]}
< x-process-time: 0
< cf-cache-status: DYNAMIC
< nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
< cf-ray: 93b850dc9cbb12a5-CPH
< alt-svc: h3=":443"; ma=86400
<
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
<!doctype html>
<html lang="en">
        <head>
                <meta charset="utf-8" />
                <link rel="icon" type="image/png" href="/static/favicon.png" />
                <link rel="icon" type="image/png" href="/static/favicon-96x96.png" sizes="96x96" />
                <link rel="icon" type="image/svg+xml" href="/static/favicon.svg" />
                <link rel="shortcut icon" href="/static/favicon.ico" />
                <link rel="apple-touch-icon" sizes="180x180" href="/static/apple-touch-icon.png" />
                <meta name="apple-mobile-web-app-title" content="Open WebUI" />

                <link rel="manifest" href="/manifest.json" crossorigin="use-credentials" />
                <meta
                        name="viewport"
                        content="width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover"
                />
                <meta name="theme-color" content="#171717" />
                <meta name="robots" content="noindex,nofollow" />
                <meta name="description" content="Open WebUI" />

[...]

        .animate-pulse-fast {
                animation: pulse 1.5s cubic-bezier(0.4, 0, 0.6, 1) infinite;
        }
</style>
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection #0 to host happ1chat.ip-ddns.com left intact

As both the unsuccessful request, as well as the following successful were towards the same IP address, and Cloudflare facility, I’m still leaning towards the issue being somewhere between Cloudflare and your own server.

Have you tried with a “proper” domain name, that isn’t just a free (sub-)domain?

@Laudian and I have previously been seeing a lot of issues from those ClouDNS (sub-)domains, because ClouDNS isn’t doing the name delegations of them correctly.

The response to those cases have been like:

→

You will need to contact ClouDNS, about their delegation mess, if you want to have any kind of success with their “*.cloudns.*” (sub-)domains, using other name servers than ClouDNS’s own.

More information about their delegation mess can be found in Modifying cloudns dns records does not take effect - #2 by DarkDeviL :

Same applies to the mentioned happ1chat.ip-ddns.com.

So that also makes me wonder, what kind of other (sub-)domain names have you tried, where you also experienced the same kind of issues?

Unfortunately I don’t have a proper domain, but I tried with a subdomain from digitalplat, which, unlike cloudns didn’t require extra steps to configure and basically works “out of the box”.

The A records for my *.dpdns.org domain updated automatically to cloudflare ones, and the SOA record was this:

;; AUTHORITY SECTION:
.                       80334   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2025050601 1800 900 604800 86400

Interestingly, the dnschecker result for SOA was hal.ns.cloudflare.com. dns.cloudflare.com. 2371970902 10000 2400 604800 1800.

I’m aware of the mess with their DNS records, but it seemed to work fine when I added these IPs to the A records in cloudns manually (alongside with NS records, of course):
104.21.23.220
172.67.213.245

I found these IPs by checking DNS resolutions with dnschecker.org. They were being partially resolved in some locations, so I figured these are the actual IPs I needed for cloudflare to work.
And it actually did work for a few weeks.
… Until it didn’t, starting from April 29-30th.

I would suggest going that way, if you actually care about the stuff you run.

Seeing a such SOA when querying the (sub-)domain, it would normally that the TLD, e.g. in case of “example.dpdns.org”, that “ORG” doesn’t exist at all.

There is a difference between the name server delegation (e.g. from the registry) and the NS records at the authoritative DNS provider.

There are a lot of DNS checkers that unfortunately only show the latter, which aren’t the ones you would care about, when you’re checking the delegation.

And then there is also the thing about implementation specific things, - e.g. you and your software may do one thing (regardless of whether that is done correctly, or incorrectly), where I and my software may do another thing, again with the same clause, … and which would be one of the reasons to the discrepancies you may see out there.

While it may be possible to play various games with certain things, you shouldn’t ever expect something like that to work, ever.

It’ is obviously very fortunate if it does, but such games are generally always bound to to break at some point.

→

All that being said, -

With the “Secure Connection Failed” error I saw above, I’m wondering:

What do you see under “Edge Certificates”?

→ https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

Oh, it actually says pending validation now. I somehow thought I just needed to validate it only once when I created the domain. Maybe that’s why it’s so inconsistent.

Edit:
Probably not, because my *.dpdns.org domain has its edge certificate validated, but it still experiences the same inconsistency

The edge certificate is active again, but the situation didn’t change unfortunately. The website is still unusable

Suspected something there, especially because the error above, but also because there seemed only to be one set of certificate issued for the (sub-)domain, according to the Certificate Transparency logs.

I was thinking the delegation mess, and/or possibly rate limits, to be part of the problem regarding that, as free things are often heavily abused.

Is Tiered Cache enabled or disabled?

→ https://dash.cloudflare.com/?to=/:account/:zone/caching/tiered-cache

Without Tiered Cache, you literally have more than 300 different locations worldwide, that may be contacting your server.

With Tiered Cache, the amount of different locations that are contacting your server will be limited (together with improving cache hit rates more globally).

IF we’re talking about some regional problem, such as ISP blocking between Cloudflare and your server, then maybe enabling Tiered Cache could improve the situation (of course, assuming that the location that is being used with Tiered Cache isn’t having any issues, and that it for the same reason will be able to “workaround” the problem that way).

An alternative attempt to try to “workaround” the problem could eventually be with Cloudflare Tunnel, instead of pointing directly towards your server’s IP address.

If none of them are changing anything for you, I’d look in to doing something with a “proper” domain instead.

It was disabled. I enabled it right now, and it doesn’t seem to improve things. Actually, it might’ve made the erroring paths more consistent now somehow.

Another thing I noticed is that my server is logging the requests as successful (200, 304), but the requests in browser are still pending. From what I understand, it seems that the server has sent off the response, but the client (CF proxy?) didn’t receive it.

I’ll leave the tiered cache enabled for now and check again later once I wake up. Maybe it needs time to start working properly.

I’m considering doing some alternative proxying, yes. If I’d not be able to resolve this, I’ll probably try setting up some VPS with exposed ports and nginx. Hopefully at least that would work.

Nothing changed, unfortunately. I got it to cache almost every js file and every request was 200 in dev tools, but the page still didn’t load completely.
No login screen, etc.
And even when the login screen showed up, the authorization didn’t go through. Or rather the request was satisfied (response 200 and token in set-cookie header), but nothing happened.
It seemed like the browser was waiting for something in-between the requests for absolutely no reason.