DIR Return Create A Forum - Home
---------------------------------------------------------
Create A Forum - Support Forums
HTML https://support.createaforum.com
---------------------------------------------------------
*****************************************************
DIR Return to: General Support
*****************************************************
#Post#: 26667--------------------------------------------------
User-Reported Cloudflare Issues
By: Cornucopia Date: September 25, 2025, 3:39 am
---------------------------------------------------------
I'm getting a small number of reports from users regarding
Cloudflare error pages. There doesn't seem to be a consistent
pattern, and the errors include 520, 522 and 525.
The main person encountering these issues has an iPad Air,
15.8.5. They are using Safari Browser.
#Post#: 26668--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: CreateAForum Date: September 25, 2025, 8:47 am
---------------------------------------------------------
What AI said.
Short version: 520, 522 and 525 come from Cloudflare failing to
talk to your origin, not from the user’s device/browser.
Intermittent reports usually point to origin/firewall/TLS issues
that only affect some Cloudflare datacenters or some request
patterns (e.g., very large cookies). Here’s a focused checklist
to find and fix the root cause.
What the codes usually mean
520: Origin returned an unexpected/invalid/empty response or
reset the connection (often large/invalid headers, app crash, or
origin proxy/WAF killing the request).
522: Cloudflare couldn’t complete the TCP handshake to your
origin (origin down/overloaded, firewall blocking Cloudflare
IPs, IPv6 misconfig, wrong DNS).
525: SSL/TLS handshake from Cloudflare to your origin failed
(bad/expired origin cert, SNI mismatch, cipher/TLS mismatch,
mTLS misconfig).
High‑value data to collect
Ask affected users for the Cloudflare “Ray ID”, timestamp,
URL, and city shown on the error page.
Correlate Ray IDs with your origin logs at that exact time.
If there is no origin log entry for a failing request, your
firewall/LB rejected it before HTTP.
Quick client-side checks (to rule out per-user header/cookie
issues)
Have the user try a Private/Incognito window or clear
cookies for your domain. If the error disappears, you likely
have oversized cookies/request headers triggering 520.
Try another network (Wi‑Fi vs cellular) and
temporarily disable iCloud Private Relay; this changes which
Cloudflare colo they hit. If one path consistently fails, focus
on routing/firewall to origin.
Origin and network checks
Firewall/ACLs
Allowlist all Cloudflare IP ranges on your origin, host
firewall, and any upstream WAF/LB:
HTML https://www.cloudflare.com/ips/
If you block by country/ASN at origin, remember all client
traffic comes from Cloudflare IPs—do not block them.
Check hosting provider’s DDoS/auto‑blocking isn’t
rate‑limiting Cloudflare subnets.
2. DNS and IPv6
Ensure proxied DNS records point to the correct origin(s).
If you have an AAAA record but your origin isn’t reliably
listening on IPv6, remove the AAAA or fix IPv6. Misconfigured
IPv6 is a common cause of 522 that only hits some Cloudflare
colos.
3. Origin capacity/timeouts
Check CPU, memory, connection limits, open file limits, SYN
backlog, and TLS handshakes/sec at reported times.
Web server settings: ensure keepalive is on and
worker/connection limits are not being hit (nginx/Apache).
If behind another proxy/LB, confirm it’s healthy and not
dropping new connections under load.
4. TLS/525 specifics
Use Full (strict) with a valid origin certificate for the
exact hostname (Let’s Encrypt or a Cloudflare Origin
Certificate) and include the full chain.
Verify SNI and hostname: Cloudflare sends SNI = requested
hostname. If your origin cert is for a different name (e.g.,
internal LB name), either install a cert for the public hostname
on all nodes or create a Cloudflare Origin Rule to override the
“Server Name” (SNI) to match your backend cert name.
Test from a terminal:
openssl s_client -servername yoursite.com -connect
ORIGIN_IP:443 -tls1_2
Repeat for each backend in the pool and confirm a clean
chain and matching hostname.
If using Authenticated Origin Pulls (mTLS), re‑install
the current Cloudflare Origin Pull certificate and CA on the
origin.
5. 520 specifics (often user‑specific)
Large or malformed request headers/cookies can trigger 520
if the origin/proxy closes the connection early.
Look for 400/431 in origin logs near the failures.
If you store big JWTs/session data in cookies, reduce
size; aim well below ~16 KB total request headers.
For nginx, you can raise limits to buy time:
large_client_header_buffers (but best is to shrink cookies).
Temporarily disable origin-side security plugins/WAF rules
to rule out them killing requests.
6. Routing variance between Cloudflare colos and your origin
Note the colo code on the error page (e.g., SFO, LHR). If
only certain colos fail, it’s a path/firewall/IPv6 issue.
Consider enabling Argo Smart Routing to stabilize
edge‑to‑origin paths.
If you use multiple origins behind a LB, ensure identical
TLS/cert config on all nodes.
Cloudflare settings to review
SSL/TLS mode: use Full (strict).
Network: if you’ve enabled HTTP/2 to origin and your
origin’s HTTP/2 is buggy, try toggling it.
If you’ve just added new hostnames, ensure the origin
certificate covers them.
If you have Origin Rules available, set the “Server Name”
override if your origin expects a different SNI.
When to contact Cloudflare
Open a ticket with Ray IDs, timestamps, URLs, and observed
colos. They can trace edge‑to‑origin attempts.
Provide your origin IP(s) and any firewall reference IDs.
Fast triage order
Collect Ray IDs from users and correlate with origin logs.
Check and allowlist Cloudflare IPs on all origin security
layers.
Verify DNS (especially AAAA) and that origin is listening on
the advertised IPs.
Validate origin TLS: correct hostname/SNI, full chain, not
expired; test with openssl.
Ask the iPad user to try a private tab (cookie size test)
and share the Ray ID if it still fails.
If you share one recent Ray ID and your hostname (or a redacted
config), I can help pinpoint the most likely cause next
#Post#: 26669--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: Cornucopia Date: September 25, 2025, 9:15 am
---------------------------------------------------------
I have the screenshot below (and a couple of others, if needed).
It shows the timestamp and the Ray ID.
Other than that, I will ask the user to try another connection,
if they have one. Also will ask them to try a private browser
window.
Everything else there looks server side.
[img]
HTML https://moneyskiversarms.createaforum.com/index.php?action=dlattach;topic=1330.0;attach=23952;image[/img]
#Post#: 26670--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: Cornucopia Date: September 26, 2025, 7:34 am
---------------------------------------------------------
[font=Arial]I'm getting occasional Cloudflare errors myself now.
I've tried both the alternate Wifi and the private browser
window and neither of them seemed to make any difference,
although the errors are so random it's hard to tell for
sure.[/font]
[font=Arial]My config is Windows 10 Version 10.0.19045 Build
19045, Chrome Browser Version 140.0.7339.185 (Official Build)
(64-bit)[/font]
[font=Arial]Here is my screenshot:-[/font]
[attachimg=1]
#Post#: 26671--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: CreateAForum Date: September 26, 2025, 10:11 am
---------------------------------------------------------
Hmm, haven't seen on my end. These are very hard to
troubleshoot...
I just disabled http2/to orgin in cloudflare based on a google
search. let me know if errors still ocurr.
#Post#: 26672--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: Cornucopia Date: September 26, 2025, 12:00 pm
---------------------------------------------------------
Okay, will do.
#Post#: 26675--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: animaniactoo Date: September 28, 2025, 3:23 pm
---------------------------------------------------------
I had also been getting a number of cloudflare errors but they
seemed to report it was not my device or internet that was the
problem, so I assumed that it was botting happening on your end.
A couple of other users gave me similar feedback on Friday. I
haven't seen any errors today.
#Post#: 26676--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: CreateAForum Date: September 28, 2025, 5:26 pm
---------------------------------------------------------
Let me know if you see any again... I made the early friday CST
time.
#Post#: 26677--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: CreateAForum Date: September 29, 2025, 12:54 pm
---------------------------------------------------------
Any more errors occurred from cloudflare?
#Post#: 26678--------------------------------------------------
Re: User-Reported Cloudflare Issues
By: animaniactoo Date: September 29, 2025, 4:50 pm
---------------------------------------------------------
Not that I have seen today. I will report in when I check in
from my device at home (which is where I was when the error was
occurring).
*****************************************************
DIR Next Page