Troubleshooting Cloudflare 5XX errors

Diagnose and resolve 5XX errors for Cloudflare proxied sites.


Overview

When troubleshooting most 5XX errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and gather data.

Cloudflare Support only assists the domain owner to resolve issues.  If you are a site visitor, report the problem to the site owner.

Required error details to provide your hosting provider

  1. Specific 5XX error code and message
  2. Time and timezone the 5XX error occurred
  3. URL that resulted in the HTTP 5XX error (for example: https://www.example.com/images/icons/image1.png)
The error cause is not always found in the origin server error logs Check logs of all load balancers, caches, proxies, or firewalls between Cloudflare and the origin web server.

Additional details to provide to your hosting provider or site administrator are listed within each error description below. Cloudflare Custom Error Pages change the appearance of default error pages discussed in this article.


Error 500: internal server error

Error 500 generally indicates an issue with your origin web server.  Error establishing database connection is a common HTTP 500 error message generated by your origin web server.  Contact your hosting provider to resolve.

Resolution

Provide details to your hosting provider to assist troubleshooting the issue.

However, if the 500 error contains “cloudflare” or “cloudflare-nginx” in the HTML response body, provide Cloudflare support with the following information:

  1. Your domain name
  2. The time and timezone of the 500 error occurrence
  3. The output of www.example.com/cdn-cgi/trace from the browser where the 500 error was observed (replace www.example.com with your actual domain and host name)
If you observe blank or white pages when visiting your website, confirm whether the issue occurs when temporarily pausing Cloudflare and contact your hosting provider for assistance.

Error 502 bad gateway or error 504 gateway timeout

An HTTP 502 or 504 error occurs when Cloudflare is unable to establish contact with your origin web server.

There are two possible causes:

502/504 from your origin web server

Cloudflare returns an Cloudflare-branded HTTP 502 or 504 error when your origin web server responds with a standard HTTP 502 bad gateway or 504 gateway timeout error:

image1.png

Resolution

Contact your hosting provider to troubleshoot these common causes at your origin web server:

  • Ensure the origin server responds to requests for the hostname and domain within the visitor’s URL that generated the 502 or 504 error.
  • Investigate excessive server loads, crashes, or network failures.
  • Identify applications or services that timed out or were blocked.

502/504 from Cloudflare

A 502 or 504 error originating from Cloudflare appears as follows:

image5.png


If the error does not mention “cloudflare,” contact your hosting provider for assistance on 502/504 errors from your origin.

Resolution

To avoid delays processing your inquiry, provide these required details to Cloudflare Support:

  1. Time and timezone the issue occurred.
  2. URL that resulted in the HTTP 502 or 504 response (for example: https://www.example.com/images/icons/image1.png)
  3. Output from browsing to www.example.com/cdn-cgi/trace (replace www.example.com with the domain and host name that caused the HTTP 502 or 504 error)

Error 503: service temporarily unavailable

HTTP error 503 occurs when your origin web server is overloaded. There are two possible causes discernible by error message:

  • Error doesn’t contain “cloudflare” or “cloudflare-nginx” in the HTML response body.

Resolution: Contact your hosting provider to verify if they rate limit requests to your origin web server.

  • Error contains “cloudflare” or “cloudflare-nginx” in the HTML response body.

Resolution: A connectivity issue occured in a Cloudflare data center. Provide Cloudflare support with the following information:

  1. Your domain name
  2. The time and timezone of the 503 error occurrence
  3. The output of www.example.com/cdn-cgi/trace from the browser where the 503 error was observed (replace www.example.com with your actual domain and host name)

Error 520: web server returns an unknown error

Error 520 occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare.

Resolution

A quick workaround while further investigating 520 errors is to either grey cloud the DNS record in the Cloudflare DNS app or temporarily pause Cloudflare.

Contact your hosting provider or site administrator and request a review of your origin web server error logs for crashes and to check for these common causes:

  • Origin web server application crashes
  • Cloudflare IPs not whitelisted at your origin.
  • Origin web server TCP idle timeouts shorter than 300 seconds
  • Headers exceeding 8 KB (typically due to too many cookies)
  • An empty response from the origin web server that lacks an HTTP status code or response body
  • Missing response headers or origin web server not returning proper HTTP error responses
520 errors are prevalent with certain PHP applications that crash the origin web server.


If 520 errors continue after contacting your hosting provider or site administrator, provide the following information to Cloudflare Support:

  • Full URL(s) of the resource requested when the error occurred
  • Cloudflare Ray ID from the 520 error message
  • Output from http://www.example.com/cdn-cgi/trace (replace www.example.com with your hostname and domain where the 520 error occurred)
  • Two HAR files:

Error 521: web server is down

Error 521 occurs when the origin web server refuses connections from Cloudflare. Security solutions at your origin may block legitimate connections from certain Cloudflare IP addresses.

The two most common causes of 521 errors are:

  • Offlined origin web server application
  • Blocked Cloudflare requests

Resolution

Contact your site administrator or hosting provider to eliminate these common causes:

  • Ensure your origin web server is responsive
  • Review origin web server error logs to identify web server application crashes or outages.
  • Confirm Cloudflare IP addresses are not blocked or rate limited
  • Whitelist all Cloudflare IP ranges in your origin web server's firewall or other security software

Error 522: connection timed out

Error 522 occurs when Cloudflare times out contacting the origin web server. Two different timeouts cause HTTP error 522 depending on when they occur between Cloudflare and the origin web server:

  1. Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 15 seconds of Cloudflare sending a SYN.
  2. After a connection is established, the origin web server doesn’t acknowledge (ACK) Cloudflare’s resource request within 90 seconds.
An HTTP 524 error occurs if the origin web server acknowledges (ACK) the resource request after the connection is established, but does not send a timely response.

Resolution

Contact your hosting provider to check the following common causes at your origin web server:

  • (Most common cause) Cloudflare IP addresses are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider whitelists Cloudflare IP addresses.
  • An overloaded or offline origin web server drops incoming requests.
  • Keepalives are disabled at the origin web server.
  • The origin IP address in your Cloudflare DNS app does not match the IP address currently provisioned to your origin web server by your hosting provider.
  • Packets were dropped at your origin web server.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before contacting Cloudflare support:

  • An MTR or traceroute from your origin web server to a Cloudflare IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP recorded in the origin web server logs.
  • Details from the hosting provider’s investigation such as pertinent logs or conversations with the hosting provider.

Error 523: origin is unreachable

Error 523 occurs when Cloudflare cannot contact your origin web server.This typically occurs when a network device between Cloudflare and the origin web server doesn’t have a route to the origin’s IP address.

Resolution
Contact your hosting provider to exclude the following common causes at your origin web server:

  • Confirm the correct origin IP address is listed for A or AAAA records within your Cloudflare DNS app.
  • Troubleshoot Internet routing issues between your origin and Cloudflare, or with the origin itself.
If your hosting provider frequently changes your origin web server’s IP address, refer to Cloudflare’s documentation on dynamic DNS updates.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator:

  • An MTR or traceroute from your origin web server to a Cloudflare IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP from the logs of the origin web server.
  • If you use Railgun via a Cloudflare Hosting Partner, contact your hosting provider to troubleshoot the 523 errors.
  • If you manage your Railgun installation, provide the following to Cloudflare support:
    • A traceroute to your origin web server from your Railgun server.
    • The most recent syslog file from your Railgun server.

Error 524: a timeout occurred

Error 524 indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 second connection timed out.

Enterprise customers can increase the 524 timeout up to 600 seconds.

Resolution
Contact your hosting provider to exclude the following common causes at your origin web server:

  • A long-running process on the origin web server.
  • An overloaded origin web server.
Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as Apache or Nginx.

If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare DNS app.

If error 524 occurs for a domain using Cloudflare Railgun, ensure the lan.timeout is set higher than the default of 30 seconds and restart the railgun service.

Error 525: SSL handshake failed

525 errors are often caused by a configuration issue on the origin web server. Error 525 occurs when these two conditions are true:

  1. The SSL handshake fails between Cloudflare and the origin web server, and
  2. Full or Full (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.

Resolution

Contact your hosting provider to exclude the following common causes at your origin web server:

  • No valid SSL certificate installed
  • Port 443 (or other custom secure port) is not open
  • No SNI support
  • The cipher suites accepted by Cloudflare does not match the cipher suites supported by the origin web server
If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors. Also, nginx includes SSL errors in its standard error log, but may possibly require an increased log level.

Error 526: invalid SSL certificate

Error 526 occurs when these two conditions are true:

  1. Cloudflare cannot validate the SSL certificate at your origin web server, and
  2. Full SSL (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.

Resolution

For a potential quick fix, set SSL to Full instead of Full (strict) in the Overview tab of your Cloudflare SSL/TLS app for the domain.

Request your server administrator or hosting provider to review the origin web server’s SSL certificates and verify that:

troubleshooting_5xx_errors_sslshopper_output.png

If the origin server uses a self-signed certificate, configure the domain to use Full SSL instead of Full SSL (Strict). Refer to recommended SSL settings for your origin.


527 Error: Railgun Listener to origin error

A 527 error indicates an interrupted connection between Cloudflare and your origin's Railgun server (rg-listener). Common causes include:

  • Firewall interference
  • Network incidents or packet loss between the Railgun server and Cloudflare
For additional details to aid troubleshooting, increase Railgun logging.

Common causes of 527 errors include:

If contacting Cloudflare support, provide the following information from the Railgun Listener:

  • The full content of the railgun.conf file
  • The full content of the railgun-nat.conf file
  • Railgun log files that detail the observed errors

Connection timeouts

The following Railgun log errors indicate a connection failure between the Railgun Listener and your origin web server:

connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout
no response from origin (timeout) 0.0.0.0:80/example.com

Resolution

Contact your hosting provider for assistance to test for connectivity issues between your origin web server and your Railgun Listener. For example, a netcat command tests connectivity when run from the Railgun Listener to the origin web server’s SERVERIP and PORT (80 for HTTP or 443 for HTTPS):

nc -vz SERVERIP PORT

LAN timeout exceeded

The following Railgun Listener log error is generated if the origin web server does not send an HTTP response to the Railgun Listener within the 30 second default timeout:

  connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout

The time is adjusted by the lan.timeout parameter of the railgun.conf file.

Resolution

Either increase the lan.timeout limit in railgun.conf, or review the web server configuration. Contact your hosting provider to confirm if the origin web server is overloaded.

Connection refusals

The following errors appear in the Railgun logs when requests from the Railgun Listener are refused:

Error getting page: dial tcp 0.0.0.0:80:connection refused

Resolution

Whitelist the IP of your Railgun Listener at your origin web server’s firewall.

TLS/SSL related errors

The following errors appear in the Railgun logs if TLS connections fail:

connection failed 0.0.0.0:443/example.com: remote error: handshake failure
connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443:connection refused
connection failed 127.0.0.1:443/www.example.com: x509: certificate is valid for
example.com, not www.example.com

Resolution

If TLS/SSL errors occur, check the following on the origin web server and ensure that:

  • Port 443 is open
  • An SSL certificate is presented by the origin web server
  • the SAN or Common Name of the origin web server’s SSL certificate contains the requested hostname
  • SSL is set to Full or Full (Strict) in the Overview tab of the Cloudflare SSL/TLS app
If your origin web server SSL certificate is self-signed, set validate.cert=0 in railgun.conf.

Error 530

HTTP error 530 is returned with an accompanying 1XXX error displayed. Search for the specific 1XXX error within the Cloudflare Help Center for troubleshooting information.


Related resources

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk