From 72feb80950595836d457b7231e57d6adcfe158e6 Mon Sep 17 00:00:00 2001 From: Angela Costa Date: Tue, 29 Apr 2025 10:34:17 +0100 Subject: [PATCH 1/2] Proposal to create different pages for 5XX errors --- .../cloudflare-5xx-errors.mdx | 406 ------------------ .../cloudflare-5xx-errors/error-500.mdx | 28 ++ .../cloudflare-5xx-errors/error-502-504.mdx | 52 +++ .../cloudflare-5xx-errors/error-503.mdx | 37 ++ .../cloudflare-5xx-errors/error-520.mdx | 47 ++ .../cloudflare-5xx-errors/error-521.mdx | 27 ++ .../cloudflare-5xx-errors/error-522.mdx | 35 ++ .../cloudflare-5xx-errors/error-523.mdx | 24 ++ .../cloudflare-5xx-errors/error-524.mdx | 50 +++ .../cloudflare-5xx-errors/error-525.mdx | 43 ++ .../cloudflare-5xx-errors/error-526.mdx | 59 +++ .../cloudflare-5xx-errors/error-530.mdx | 18 + .../cloudflare-5xx-errors/index.mdx | 91 ++++ 13 files changed, 511 insertions(+), 406 deletions(-) delete mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-503.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-525.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-530.mdx create mode 100644 src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/index.mdx diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors.mdx deleted file mode 100644 index d7bbab92cc60dd0..000000000000000 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors.mdx +++ /dev/null @@ -1,406 +0,0 @@ ---- -pcx_content_type: troubleshooting -title: Cloudflare 5XX errors -source: null ---- - -import { GlossaryTooltip } from "~/components"; - -When troubleshooting most `5XX` errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and gather data. The following sections outline: - -- The [information](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to provide your hosting provider to help resolve the errors -- The steps to access [error analytics](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#error-analytics) in the Cloudflare dashboard. - -:::note - -Cloudflare Support only assists the domain owner to resolve issues. If you are a site visitor, report the problem to the site owner. - -::: - -### Required error details for hosting provider - -When contacting your hosting provider, share the following information: - -- The specific `5XX` error code and message. -- The time and timezone when the `5XX` error occurred. -- The URL that resulted in the HTTP `5XX` error (for example, `https://www.example.com/images/icons/image1.png`). - -The cause of the error is not always found in the origin server's error logs. Be sure to check the logs of any load balancers, caches, proxies, or firewalls between Cloudflare and the origin web server. - -Additional details to provide to your hosting provider or site administrator can be found in the error descriptions below. Note that Cloudflare [Custom Errors](/rules/custom-errors/) can alter the appearance of default error pages discussed in this page. - -### Error analytics - -Error analytics per domain are available within [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/). Error analytics provides insights into overall errors by HTTP error code and offers details such as the URLs, source IP addresses, and Cloudflare data centers needed to diagnose and resolve issues. Error Analytics are based on a 1% traffic sample. - -To view Error Analytics: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com). -2. Select your account and domain. -3. Go to **Analytics & Logs**. -4. Select **Add filter**, select **Edge status code** or **Origin status code** and choose any `5xx` error code that you want to diagnose. - ---- - -## Error 500: internal server error - -This error indicates a problem with your origin web server, preventing it from fulfilling the request. - -### Common causes - -The `Error establishing database connection message` is a common HTTP `500` error, typically indicating an origin web server issue. If you encounter this error, contact your hosting provider for assistance. - -### Resolution - -When dealing with most `5XX` errors, the first step is to reach out to your hosting provider or site administrator to help troubleshoot the issue. Share the necessary [error details](#required-error-details-for-hosting-provider) to your hosting provider to assist troubleshooting the issue. - -However, if the `500` error contains `cloudflare` or `cloudflare-nginx` in the HTML response body, contact [Cloudflare support](/support/contacting-cloudflare-support/) and provide the following details: - -- Your domain name -- The time and timezone of the `500` error occurrence -- The output of `www.example.com/cdn-cgi/trace` from the browser where the `500` error was observed (replace `www.example.com` with your actual domain and hostname) - -:::note - -If you observe blank or white pages when visiting your website, confirm whether the issue occurs when [temporarily pausing Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) and contact your hosting provider for assistance. -::: - -## Error 502 bad gateway or error 504 gateway timeout - -An HTTP `502` or `504` error indicates that Cloudflare is unable to establish contact with your origin web server. - -### Common causes - -There are two possible causes: - -- [`502/504` errors from your origin web server](#502504-from-your-origin-web-server) (most common). -- [`502/504` errors from Cloudflare](#502504-from-cloudflare). - -You may also see `504` status codes in logs or analytics caused by [cache MISS responses from Early Hints](/cache/advanced-configuration/early-hints/#emit-early-hints). - -### Resolution - -To resolve `502/504` errors, it is essential to identify whether the issue originates from your origin web server or Cloudflare. In the following sections, you can find more details for troubleshooting and resolving errors from both sources. - -#### 502/504 from your origin web server - -Cloudflare returns a Cloudflare-branded HTTP `502` or `504` error when your origin web server responds with a standard HTTP `502 bad gateway` or `504 gateway timeout` error: - -![Example of a Cloudflare-branded error 502.](~/assets/images/support/image1.png) - -Contact your hosting provider to troubleshoot these common causes at your origin web server: - -- Ensure the origin server responds to requests for the hostname and domain within the visitor's URL that generated the `502` or `504` error. -- Investigate excessive server loads, crashes, or network failures. -- Identify applications or services that timed out or were blocked. - -#### 502/504 from Cloudflare - -A `502` or a `504` error originating from Cloudflare appears as follows: - -![Example of an unbranded error 502.](~/assets/images/support/image5.png) - -If the error does not mention `cloudflare`, contact your hosting provider for assistance. Refer to [502/504 errors from your origin](#502504-from-your-origin-web-server) for more information. - -This error can occur due to a compression issue at the origin, such as when the origin server serves gzip-encoded compressed content but fails to update the `content-length` header, or if the origin is serving broken gzip compressed content. To diagnose this, you can try disabling compression at your origin to confirm if it resolves the error. - -Additionally, in some cases, a particular data center may experience a sudden increase in traffic. To ensure minimal impact for customers, our automated processes will redirect traffic to another data center. These adjustments typically happen seamlessly and take just a few seconds. However, during this process, some clients may experience temporary latency or HTTP `502` errors. You can find more information about our automated traffic management tools in this [blogpost](https://blog.cloudflare.com/meet-traffic-manager). - -If you need further assistance from our Support team, provide the following details to [Cloudflare Support](/support/contacting-cloudflare-support/) to avoid delays in processing your inquiry: - -- The time and timezone when the issue occurred. -- The URL that resulted in the HTTP `502` or `504` response (for example, `https://www.example.com/images/icons/image1.png`). -- The output from browsing to `/cdn-cgi/trace`. - -## Error 503: service temporarily unavailable - -HTTP error 503 occurs when your origin web server is overloaded. - -### Common causes - -There are different causes identifiable by the error message or the location of the error: - -- Error does not contain `cloudflare` or `cloudflare-nginx` in the HTML response body. In this case, the issue is likely from your origin server. -- Error contains `cloudflare` or `cloudflare-nginx` in the HTML response body. In this case, the issue may stem from Cloudflare. -- Error is only visible in logs or analytics. - -### Resolution - -To resolve a `503` error, first determine whether the issue originates from your origin web server or Cloudflare. The following sections provide guidance on troubleshooting both scenarios. - -#### 503 Error without `cloudflare` or `cloudflare-nginx` - -If the error does not contain `cloudflare` or `cloudflare-nginx` in the HTML response body, contact your hosting provider to verify if they rate limit requests to your origin web server. - -#### 503 Error with `cloudflare` or `cloudflare-nginx` - -If the error contains `cloudflare` or `cloudflare-nginx` in the HTML response body, a connectivity issue occurred in a Cloudflare data center. Provide [Cloudflare support](/support/contacting-cloudflare-support/) with the following information: - -- Your domain name -- The time and timezone of the `503` error occurrence -- The output of `www.example.com/cdn-cgi/trace` from the browser where the `503` error was observed (replace `www.example.com` with your actual domain and hostname) - -#### 503 Error only visible in logs and analytics - -These errors result from [unsuccessful prefetches from Speed Brain](/speed/optimization/content/speed-brain/#how-speed-brain-works) and can be discarded. These errors are not visible to visitors of your website. [Speed Brain](/speed/optimization/content/speed-brain/#enable-and-disable-speed-brain) can be disabled for the zone if needed (this feature cannot be disabled for a specific path). - -## Error 520: web server returns an unknown error - -This error occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare. - -### Common causes - -This error is often triggered by: - -- Origin server crashes or misconfigurations. -- Firewalls or security plugins blocking [Cloudflare IPs](https://www.cloudflare.com/ips) at your origin. -- Headers exceeding 16 KB (often due to excessive cookies). -- Empty or malformed responses lacking an HTTP status code or response body. -- Missing response headers or origin web server not returning [proper HTTP error responses](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). -- Incorrect HTTP/2 configuration at the origin server. - -:::note - -`520` errors are prevalent with certain PHP applications that crash the origin web server. - -::: - -### Resolution - -:::note - -As a temporary workaround, you can set the affected DNS record to [DNS-only](/dns/proxy-status/) in the Cloudflare **DNS** app or [temporarily pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/). - -::: - -- Contact your hosting provider or site administrator and share the necessary [error details](#required-error-details-for-hosting-provider) to assist with troubleshooting. Request a review of your origin web server error logs for crashes and check for [common causes](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#common-causes-3) mentioned in the previous section. - -- If HTTP/2 is enabled at your origin server, ensure it is correctly set up. Cloudflare connects to servers who announce support of HTTP/2 connections via [ALPN](https://blog.cloudflare.com/introducing-http2). If the origin web server accepts the HTTP/2 connection but then does not respect or support the protocol, an HTTP `520` error will be returned. You can disable the [HTTP/2 to Origin](/speed/optimization/protocol/http2-to-origin/#disable-http2-to-origin) in **Speed** > **Optimization** > **Protocol Optimization** on the Cloudflare dashboard. - -- If `520` errors continue after contacting your hosting provider or site administrator, provide the following information to [Cloudflare Support](/support/contacting-cloudflare-support/): - - - Full URL(s) of the resource requested when the error occurred. - - Cloudflare **cf-ray** from the `520` error message. - - Output from `http:///cdn-cgi/trace`. - - Two [HAR files](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file): - - One with Cloudflare enabled on your website. - - Another with [Cloudflare temporarily disabled](/fundamentals/setup/manage-domains/pause-cloudflare/). - -## Error 521: web server is down - -Error `521` occurs when the origin web server refuses connections from Cloudflare. Security solutions at your origin may block legitimate connections from certain [Cloudflare IP addresses](https://www.cloudflare.com/ips). - -### Common causes - -The two most common causes of `521` errors are: - -- Offlined origin web server application. -- Blocked Cloudflare requests. - -### Resolution - -Contact your hosting provider or site administrator and share the necessary [error details](#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: - -- Ensure your origin web server is responsive. -- Review origin web server error logs to identify web server application crashes or outages. -- Confirm [Cloudflare IP addresses](https://www.cloudflare.com/ips) are not blocked or rate limited. -- Allow all [Cloudflare IP ranges](https://www.cloudflare.com/ips) in your origin web server's firewall or other security software. -- Confirm that — if you have your **SSL/TLS mode** set to **Full** or **Full (Strict**) — your origin supports HTTPS and/or you have installed a [Cloudflare Origin Certificate](/ssl/origin-configuration/origin-ca) or a certificate matching the [requirements for these modes](/ssl/origin-configuration/ssl-modes/#custom-ssltls). -- Find additional troubleshooting information on the [Cloudflare Community](https://community.cloudflare.com/t/community-tip-fixing-error-521-web-server-is-down/42461). - -## Error 522: connection timed out - -Error `522` occurs when Cloudflare times out contacting the origin web server. - -### Common causes - -Two different timeouts cause HTTP error `522` depending on when they occur between Cloudflare and the origin web server: - -- Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 19 seconds of Cloudflare sending a SYN. -- After a connection is established, the origin web server does not acknowledge (ACK) Cloudflare's resource request within 90 seconds. - -### Resolution - -- Contact your hosting provider and share the necessary [error details](#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: - - - [Cloudflare IP addresses](https://www.cloudflare.com/ips/) are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider allows Cloudflare IP addresses (most common cause). - - An overloaded or offline origin web server drops incoming requests. - - [Keepalives](http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html) are disabled at the origin web server. - - The origin IP address in your Cloudflare **DNS** app does not match the IP address currently provisioned to your origin web server by your hosting provider. - - Packets were dropped at your origin web server. - -- If you are using [Cloudflare Pages](/pages/), verify that you have a custom domain set up and that your CNAME record is pointed to your [custom Pages domain](/pages/configuration/custom-domains/#add-a-custom-domain). - -- If you are using [Workers with a Custom Domain](/workers/configuration/routing/custom-domains/), performing a `fetch` to its own hostname will cause a `522` error. Consider using a [Route](/workers/configuration/routing/) or target another hostname instead. - -- If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before [contacting Cloudflare support](/support/contacting-cloudflare-support/): - - - An [MTR or traceroute](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#perform-a-traceroute) from your origin web server to a [Cloudflare IP address](http://www.cloudflare.com/ips) that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP recorded in the origin web server logs. - - Details from the hosting provider's investigation, such as pertinent logs or conversations with the hosting provider. - -## Error 523: origin is unreachable - -This error occurs when Cloudflare cannot contact your origin web server. - -### Common causes - -This typically occurs when a network device between Cloudflare and the origin web server does not have a route to the origin's IP address. - -### Resolution - -Contact your hosting provider and share the necessary [error details](#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: - -- Confirm the correct origin IP address is listed for A or AAAA records within your Cloudflare DNS app. -- Troubleshoot Internet routing issues between your origin and Cloudflare, or with the origin itself. - -If none of the above leads to a resolution, request the following information from your hosting provider or site administrator: - -- An [MTR or traceroute](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#perform-a-traceroute) from your origin web server to a [Cloudflare IP address](http://www.cloudflare.com/ips) that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP from the logs of the origin web server. - -## Error 524: a timeout occurred - -Error `524` usually indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 seconds [Proxy Read Timeout](/fundamentals/reference/connection-limits/). - -### Common causes - -This can happen if the origin server is taking too long because it has too much work to do, for example, a large data query, or because the server is struggling for resources and cannot return any data in time. - -Error `524` can also indicate that Cloudflare successfully connected to the origin web server to write data, but the write did not complete before the 30 seconds [Proxy Write Timeout](/fundamentals/reference/connection-limits/) (or 6.5 seconds in the case of [Cloudflare Images](/images/)). - -:::note - -A `524` occurs if the origin web server acknowledges (ACK) the resource request after the connection has been -established, but does not send a timely response. -::: - -### Resolution - -Here are the options we suggest to work around this issue: - -- Implement status polling of large HTTP processes to avoid hitting this error. -- [Contact your hosting provider](#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: - - A long-running process on the origin web server. - - An overloaded origin web server. - -:::note - -Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as [Apache](http://httpd.apache.org/docs/current/mod/mod_log_config.html) or [Nginx](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format). -::: - -- Enterprise customers can increase the `524` timeout up to 6,000 seconds using the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint (`proxy_read_timeout` setting). If your content can be cached, you may also choose to use a [Cache Rule](/cache/how-to/cache-rules/settings/#proxy-read-timeout-enterprise-only) with the `Proxy Read Timeout` setting selected instead in the Cloudflare Dashboard. - -:::note - -If the timeouts are on write requests, the [Proxy Write Timeout](/fundamentals/reference/connection-limits/) of 30 seconds cannot be adjusted. -::: - -- If you regularly run HTTP requests that take over 100 seconds to complete (for example, large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare **DNS** app. - -:::note - -Note that you may observe a 1 second difference between the timeout you have set and the actual time at which the Error `524` is returned. This is expected, it is due to the current work on implementing our proxy - [Pingora](https://blog.cloudflare.com/how-we-built-pingora-the-proxy-that-connects-cloudflare-to-the-internet/). -As a workaround, you can simply set the timeout to one second more (121 seconds instead of 120 seconds, for example). -::: - -## Error 525: SSL handshake failed - -This error indicates that the SSL handshake between Cloudflare and the origin web server failed. - -### Common causes - -Error `525` occurs when these two conditions are true: - -- The [SSL handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) fails between Cloudflare and the origin web server. -- [_Full_ or _Full (Strict)_](/ssl/origin-configuration/ssl-modes) **SSL** is set in the **Overview** tab of your Cloudflare **SSL/TLS** app. - -:::note - -If your hosting provider frequently changes your origin web server's IP address, refer to Cloudflare's documentation on [dynamic DNS updates](/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses). -::: - -### Resolution - -Contact your hosting provider to exclude the following common causes at your origin web server: - -- No valid SSL certificate is installed. -- Port `443` (or another custom secure port) is not open. -- No SNI support. -- The [cipher suites](/ssl/origin-configuration/cipher-suites/) used by Cloudflare do not match the cipher suites supported by the origin web server. - -:::note - -If `525` errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to [log mod_ssl errors](https://cwiki.apache.org/confluence/display/HTTPD/DebuggingSSLProblems#Enable_SSL_logging). Also, nginx includes SSL errors in its standard error log, but may possibly require [an increased log level](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/). -::: - -- Verify that a certificate is installed on your origin server. For details on running tests, refer to [Troubleshoot requests with curl](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#troubleshoot-requests-with-curl). If no certificate is installed, you can generate and install a free [Cloudflare origin CA certificate](/ssl/origin-configuration/origin-ca) to encrypt traffic between Cloudflare and your origin web server. - -- [Review the cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) used by your server to ensure they are compatible with Cloudflare. - -- Check your server's error logs from the timestamps when `525` errors occur to identify any issues causing the connection to be reset during the SSL handshake. - -## Error 526: invalid SSL certificate - -This error indicates that Cloudflare is unable to verify the SSL certificate on your origin server, preventing a secure connection from being established. - -### Common causes - -This error occurs when these two conditions are true: - -- Cloudflare cannot validate the SSL certificate at your origin web server. -- [_Full SSL (Strict)_](/ssl/origin-configuration/ssl-modes/full-strict/) **SSL** is set in the **Overview** tab of your Cloudflare **SSL/TLS** app. - -#### Error 526 in the Zero Trust context - -When using [Cloudflare Gateway](/cloudflare-one/policies/gateway/), an HTTP Error `526` might be returned in the [following cases](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website): - -- **An untrusted certificate is presented from the origin to Gateway.** Gateway will consider a certificate is untrusted if any of these conditions are true: - - - The server certificate issuer is unknown or is not trusted by the service. - - The server certificate is revoked and fails a CRL check. - - There is at least one expired certificate in the certificate chain for the server certificate. - - The common name on the certificate does not match the URL you are trying to reach. - - The common name on the certificate contains invalid characters (such as underscores). Gateway uses [BoringSSL](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=Google&CertificateStatus=Active&ValidationYear=0) to validate certificates. Chrome's [validation logic](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cert/x509_certificate.cc#429) allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP. - -- **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: - - - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. - - Do not support [FIPS-compliant ciphers](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). - - Redirect all HTTPS requests to HTTP. - -#### Error 526 in the Workers context - -Workers subrequests to any hostname outside your Cloudflare zone that is not proxied by Cloudflare are always made using the **[Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/)** SSL mode, regardless of the Workers zone configuration. - -As a result, a valid SSL certificate is required at the origin server. - -### Resolution - -:::note -For a potential quick fix, set **SSL** to _Full_ instead of _Full (strict)_ in the **Overview** tab of your Cloudflare **SSL/TLS** app for the domain. -::: - -Request your server administrator or hosting provider to review the origin web server's SSL certificates and verify that: - -- Certificate is not expired. -- Certificate is not revoked. -- Certificate is signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not self-signed). -- The requested or target domain name and hostname are in the certificate's **Common Name** or **Subject Alternative Name**. -- Your origin web server accepts connections over port SSL port `443`. -- [Temporarily pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) and visit [https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com](https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com) (replace `www.example.com` with your hostname and domain) to verify no issues exists with the origin SSL certificate: - -![Screen showing an SSL certificate with no errors.](~/assets/images/support/hc-import-troubleshooting_5xx_errors_sslshopper_output.png) - -If the origin server uses a self-signed certificate, configure the domain to use _Full_ _SSL_ instead of _Full SSL (Strict)_. Refer to [recommended SSL settings for your origin](/ssl/origin-configuration/ssl-modes). - -## Error 530 - -This error indicates that Cloudflare is unable to resolve the origin hostname, preventing it from establishing a connection to the origin server. - -### Common causes - -An HTTP error `530` is returned when Cloudflare is encountering an issue resolving the origin hostname. -In this case the body of the response contains an [1XXX error](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) code. - -### Resolution - -Refer to the specific [1XXX error](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) for troubleshooting information. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx new file mode 100644 index 000000000000000..7f5545675bc4cc6 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx @@ -0,0 +1,28 @@ +--- +pcx_content_type: troubleshooting +title: Error 500 +source: null +--- + +## Error 500: internal server error + +This error indicates a problem with your origin web server, preventing it from fulfilling the request. + +### Common causes + +The `Error establishing database connection message` is a common HTTP `500` error, typically indicating an origin web server issue. If you encounter this error, contact your hosting provider for assistance. + +### Resolution + +When dealing with most `5XX` errors, the first step is to reach out to your hosting provider or site administrator to help troubleshoot the issue. Share the necessary [error details](#required-error-details-for-hosting-provider) to your hosting provider to assist troubleshooting the issue. + +However, if the `500` error contains `cloudflare` or `cloudflare-nginx` in the HTML response body, contact [Cloudflare support](/support/contacting-cloudflare-support/) and provide the following details: + +- Your domain name +- The time and timezone of the `500` error occurrence +- The output of `www.example.com/cdn-cgi/trace` from the browser where the `500` error was observed (replace `www.example.com` with your actual domain and hostname) + +:::note + +If you observe blank or white pages when visiting your website, confirm whether the issue occurs when [temporarily pausing Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) and contact your hosting provider for assistance. +::: \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx new file mode 100644 index 000000000000000..3333cfc2d19c129 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504.mdx @@ -0,0 +1,52 @@ +--- +pcx_content_type: troubleshooting +title: Error 502 or 504 +source: null +--- + +## Error 502 bad gateway or error 504 gateway timeout + +An HTTP `502` or `504` error indicates that Cloudflare is unable to establish contact with your origin web server. + +### Common causes + +There are two possible causes: + +- [`502/504` errors from your origin web server](#502504-from-your-origin-web-server) (most common). +- [`502/504` errors from Cloudflare](#502504-from-cloudflare). + +You may also see `504` status codes in logs or analytics caused by [cache MISS responses from Early Hints](/cache/advanced-configuration/early-hints/#emit-early-hints). + +### Resolution + +To resolve `502/504` errors, it is essential to identify whether the issue originates from your origin web server or Cloudflare. In the following sections, you can find more details for troubleshooting and resolving errors from both sources. + +#### 502/504 from your origin web server + +Cloudflare returns a Cloudflare-branded HTTP `502` or `504` error when your origin web server responds with a standard HTTP `502 bad gateway` or `504 gateway timeout` error: + +![Example of a Cloudflare-branded error 502.](~/assets/images/support/image1.png) + +Contact your hosting provider to troubleshoot these common causes at your origin web server: + +- Ensure the origin server responds to requests for the hostname and domain within the visitor's URL that generated the `502` or `504` error. +- Investigate excessive server loads, crashes, or network failures. +- Identify applications or services that timed out or were blocked. + +#### 502/504 from Cloudflare + +A `502` or a `504` error originating from Cloudflare appears as follows: + +![Example of an unbranded error 502.](~/assets/images/support/image5.png) + +If the error does not mention `cloudflare`, contact your hosting provider for assistance. Refer to [502/504 errors from your origin](#502504-from-your-origin-web-server) for more information. + +This error can occur due to a compression issue at the origin, such as when the origin server serves gzip-encoded compressed content but fails to update the `content-length` header, or if the origin is serving broken gzip compressed content. To diagnose this, you can try disabling compression at your origin to confirm if it resolves the error. + +Additionally, in some cases, a particular data center may experience a sudden increase in traffic. To ensure minimal impact for customers, our automated processes will redirect traffic to another data center. These adjustments typically happen seamlessly and take just a few seconds. However, during this process, some clients may experience temporary latency or HTTP `502` errors. You can find more information about our automated traffic management tools in this [blogpost](https://blog.cloudflare.com/meet-traffic-manager). + +If you need further assistance from our Support team, provide the following details to [Cloudflare Support](/support/contacting-cloudflare-support/) to avoid delays in processing your inquiry: + +- The time and timezone when the issue occurred. +- The URL that resulted in the HTTP `502` or `504` response (for example, `https://www.example.com/images/icons/image1.png`). +- The output from browsing to `/cdn-cgi/trace`. \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-503.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-503.mdx new file mode 100644 index 000000000000000..eab49ea37290727 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-503.mdx @@ -0,0 +1,37 @@ +--- +pcx_content_type: troubleshooting +title: Error 503 +source: null +--- + +## Error 503: service temporarily unavailable + +HTTP error 503 occurs when your origin web server is overloaded. + +### Common causes + +There are different causes identifiable by the error message or the location of the error: + +- Error does not contain `cloudflare` or `cloudflare-nginx` in the HTML response body. In this case, the issue is likely from your origin server. +- Error contains `cloudflare` or `cloudflare-nginx` in the HTML response body. In this case, the issue may stem from Cloudflare. +- Error is only visible in logs or analytics. + +### Resolution + +To resolve a `503` error, first determine whether the issue originates from your origin web server or Cloudflare. The following sections provide guidance on troubleshooting both scenarios. + +#### 503 Error without `cloudflare` or `cloudflare-nginx` + +If the error does not contain `cloudflare` or `cloudflare-nginx` in the HTML response body, contact your hosting provider to verify if they rate limit requests to your origin web server. + +#### 503 Error with `cloudflare` or `cloudflare-nginx` + +If the error contains `cloudflare` or `cloudflare-nginx` in the HTML response body, a connectivity issue occurred in a Cloudflare data center. Provide [Cloudflare support](/support/contacting-cloudflare-support/) with the following information: + +- Your domain name +- The time and timezone of the `503` error occurrence +- The output of `www.example.com/cdn-cgi/trace` from the browser where the `503` error was observed (replace `www.example.com` with your actual domain and hostname) + +#### 503 Error only visible in logs and analytics + +These errors result from [unsuccessful prefetches from Speed Brain](/speed/optimization/content/speed-brain/#how-speed-brain-works) and can be discarded. These errors are not visible to visitors of your website. [Speed Brain](/speed/optimization/content/speed-brain/#enable-and-disable-speed-brain) can be disabled for the zone if needed (this feature cannot be disabled for a specific path). \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx new file mode 100644 index 000000000000000..6b7a68446b11c21 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx @@ -0,0 +1,47 @@ +--- +pcx_content_type: troubleshooting +title: Error 520 +source: null +--- + +## Error 520: web server returns an unknown error + +This error occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare. + +### Common causes + +This error is often triggered by: + +- Origin server crashes or misconfigurations. +- Firewalls or security plugins blocking [Cloudflare IPs](https://www.cloudflare.com/ips) at your origin. +- Headers exceeding 16 KB (often due to excessive cookies). +- Empty or malformed responses lacking an HTTP status code or response body. +- Missing response headers or origin web server not returning [proper HTTP error responses](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml). +- Incorrect HTTP/2 configuration at the origin server. + +:::note + +`520` errors are prevalent with certain PHP applications that crash the origin web server. + +::: + +### Resolution + +:::note + +As a temporary workaround, you can set the affected DNS record to [DNS-only](/dns/proxy-status/) in the Cloudflare **DNS** app or [temporarily pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/). + +::: + +- Contact your hosting provider or site administrator and share the necessary [error details](#required-error-details-for-hosting-provider) to assist with troubleshooting. Request a review of your origin web server error logs for crashes and check for [common causes](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#common-causes-3) mentioned in the previous section. + +- If HTTP/2 is enabled at your origin server, ensure it is correctly set up. Cloudflare connects to servers who announce support of HTTP/2 connections via [ALPN](https://blog.cloudflare.com/introducing-http2). If the origin web server accepts the HTTP/2 connection but then does not respect or support the protocol, an HTTP `520` error will be returned. You can disable the [HTTP/2 to Origin](/speed/optimization/protocol/http2-to-origin/#disable-http2-to-origin) in **Speed** > **Optimization** > **Protocol Optimization** on the Cloudflare dashboard. + +- If `520` errors continue after contacting your hosting provider or site administrator, provide the following information to [Cloudflare Support](/support/contacting-cloudflare-support/): + + - Full URL(s) of the resource requested when the error occurred. + - Cloudflare **cf-ray** from the `520` error message. + - Output from `http:///cdn-cgi/trace`. + - Two [HAR files](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file): + - One with Cloudflare enabled on your website. + - Another with [Cloudflare temporarily disabled](/fundamentals/setup/manage-domains/pause-cloudflare/). diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx new file mode 100644 index 000000000000000..de6f46652d2f197 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx @@ -0,0 +1,27 @@ +--- +pcx_content_type: troubleshooting +title: Error 521 +source: null +--- + +## Error 521: web server is down + +Error `521` occurs when the origin web server refuses connections from Cloudflare. Security solutions at your origin may block legitimate connections from certain [Cloudflare IP addresses](https://www.cloudflare.com/ips). + +### Common causes + +The two most common causes of `521` errors are: + +- Offlined origin web server application. +- Blocked Cloudflare requests. + +### Resolution + +Contact your hosting provider or site administrator and share the necessary [error details](#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: + +- Ensure your origin web server is responsive. +- Review origin web server error logs to identify web server application crashes or outages. +- Confirm [Cloudflare IP addresses](https://www.cloudflare.com/ips) are not blocked or rate limited. +- Allow all [Cloudflare IP ranges](https://www.cloudflare.com/ips) in your origin web server's firewall or other security software. +- Confirm that — if you have your **SSL/TLS mode** set to **Full** or **Full (Strict**) — your origin supports HTTPS and/or you have installed a [Cloudflare Origin Certificate](/ssl/origin-configuration/origin-ca) or a certificate matching the [requirements for these modes](/ssl/origin-configuration/ssl-modes/#custom-ssltls). +- Find additional troubleshooting information on the [Cloudflare Community](https://community.cloudflare.com/t/community-tip-fixing-error-521-web-server-is-down/42461). \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx new file mode 100644 index 000000000000000..cb00b3f1f7ff04c --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx @@ -0,0 +1,35 @@ +--- +pcx_content_type: troubleshooting +title: Error 522 +source: null +--- + +## Error 522: connection timed out + +Error `522` occurs when Cloudflare times out contacting the origin web server. + +### Common causes + +Two different timeouts cause HTTP error `522` depending on when they occur between Cloudflare and the origin web server: + +- Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 19 seconds of Cloudflare sending a SYN. +- After a connection is established, the origin web server does not acknowledge (ACK) Cloudflare's resource request within 90 seconds. + +### Resolution + +- Contact your hosting provider and share the necessary [error details](#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: + + - [Cloudflare IP addresses](https://www.cloudflare.com/ips/) are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider allows Cloudflare IP addresses (most common cause). + - An overloaded or offline origin web server drops incoming requests. + - [Keepalives](http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html) are disabled at the origin web server. + - The origin IP address in your Cloudflare **DNS** app does not match the IP address currently provisioned to your origin web server by your hosting provider. + - Packets were dropped at your origin web server. + +- If you are using [Cloudflare Pages](/pages/), verify that you have a custom domain set up and that your CNAME record is pointed to your [custom Pages domain](/pages/configuration/custom-domains/#add-a-custom-domain). + +- If you are using [Workers with a Custom Domain](/workers/configuration/routing/custom-domains/), performing a `fetch` to its own hostname will cause a `522` error. Consider using a [Route](/workers/configuration/routing/) or target another hostname instead. + +- If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before [contacting Cloudflare support](/support/contacting-cloudflare-support/): + + - An [MTR or traceroute](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#perform-a-traceroute) from your origin web server to a [Cloudflare IP address](http://www.cloudflare.com/ips) that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP recorded in the origin web server logs. + - Details from the hosting provider's investigation, such as pertinent logs or conversations with the hosting provider. \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx new file mode 100644 index 000000000000000..7a70da274a3a561 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx @@ -0,0 +1,24 @@ +--- +pcx_content_type: troubleshooting +title: Error 523 +source: null +--- + +## Error 523: origin is unreachable + +This error occurs when Cloudflare cannot contact your origin web server. + +### Common causes + +This typically occurs when a network device between Cloudflare and the origin web server does not have a route to the origin's IP address. + +### Resolution + +Contact your hosting provider and share the necessary [error details](#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: + +- Confirm the correct origin IP address is listed for A or AAAA records within your Cloudflare DNS app. +- Troubleshoot Internet routing issues between your origin and Cloudflare, or with the origin itself. + +If none of the above leads to a resolution, request the following information from your hosting provider or site administrator: + +- An [MTR or traceroute](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#perform-a-traceroute) from your origin web server to a [Cloudflare IP address](http://www.cloudflare.com/ips) that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP from the logs of the origin web server. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx new file mode 100644 index 000000000000000..d43f5feffff10f4 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx @@ -0,0 +1,50 @@ +--- +pcx_content_type: troubleshooting +title: Error 524 +source: null +--- + +## Error 524: a timeout occurred + +Error `524` usually indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 seconds [Proxy Read Timeout](/fundamentals/reference/connection-limits/). + +### Common causes + +This can happen if the origin server is taking too long because it has too much work to do, for example, a large data query, or because the server is struggling for resources and cannot return any data in time. + +Error `524` can also indicate that Cloudflare successfully connected to the origin web server to write data, but the write did not complete before the 30 seconds [Proxy Write Timeout](/fundamentals/reference/connection-limits/) (or 6.5 seconds in the case of [Cloudflare Images](/images/)). + +:::note + +A `524` occurs if the origin web server acknowledges (ACK) the resource request after the connection has been +established, but does not send a timely response. +::: + +### Resolution + +Here are the options we suggest to work around this issue: + +- Implement status polling of large HTTP processes to avoid hitting this error. +- [Contact your hosting provider](#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: + - A long-running process on the origin web server. + - An overloaded origin web server. + +:::note + +Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as [Apache](http://httpd.apache.org/docs/current/mod/mod_log_config.html) or [Nginx](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format). +::: + +- Enterprise customers can increase the `524` timeout up to 6,000 seconds using the [Edit zone setting](/api/resources/zones/subresources/settings/methods/edit/) endpoint (`proxy_read_timeout` setting). If your content can be cached, you may also choose to use a [Cache Rule](/cache/how-to/cache-rules/settings/#proxy-read-timeout-enterprise-only) with the `Proxy Read Timeout` setting selected instead in the Cloudflare Dashboard. + +:::note + +If the timeouts are on write requests, the [Proxy Write Timeout](/fundamentals/reference/connection-limits/) of 30 seconds cannot be adjusted. +::: + +- If you regularly run HTTP requests that take over 100 seconds to complete (for example, large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare **DNS** app. + +:::note + +Note that you may observe a 1 second difference between the timeout you have set and the actual time at which the Error `524` is returned. This is expected, it is due to the current work on implementing our proxy - [Pingora](https://blog.cloudflare.com/how-we-built-pingora-the-proxy-that-connects-cloudflare-to-the-internet/). +As a workaround, you can simply set the timeout to one second more (121 seconds instead of 120 seconds, for example). +::: \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-525.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-525.mdx new file mode 100644 index 000000000000000..c8c8ac78fd228a2 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-525.mdx @@ -0,0 +1,43 @@ +--- +pcx_content_type: troubleshooting +title: Error 525 +source: null +--- + +import { GlossaryTooltip } from "~/components"; + +## Error 525: SSL handshake failed + +This error indicates that the SSL handshake between Cloudflare and the origin web server failed. + +### Common causes + +Error `525` occurs when these two conditions are true: + +- The [SSL handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) fails between Cloudflare and the origin web server. +- [_Full_ or _Full (Strict)_](/ssl/origin-configuration/ssl-modes) **SSL** is set in the **Overview** tab of your Cloudflare **SSL/TLS** app. + +:::note + +If your hosting provider frequently changes your origin web server's IP address, refer to Cloudflare's documentation on [dynamic DNS updates](/dns/manage-dns-records/how-to/managing-dynamic-ip-addresses). +::: + +### Resolution + +Contact your hosting provider to exclude the following common causes at your origin web server: + +- No valid SSL certificate is installed. +- Port `443` (or another custom secure port) is not open. +- No SNI support. +- The [cipher suites](/ssl/origin-configuration/cipher-suites/) used by Cloudflare do not match the cipher suites supported by the origin web server. + +:::note + +If `525` errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to [log mod_ssl errors](https://cwiki.apache.org/confluence/display/HTTPD/DebuggingSSLProblems#Enable_SSL_logging). Also, nginx includes SSL errors in its standard error log, but may possibly require [an increased log level](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/). +::: + +- Verify that a certificate is installed on your origin server. For details on running tests, refer to [Troubleshoot requests with curl](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#troubleshoot-requests-with-curl). If no certificate is installed, you can generate and install a free [Cloudflare origin CA certificate](/ssl/origin-configuration/origin-ca) to encrypt traffic between Cloudflare and your origin web server. + +- [Review the cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/) used by your server to ensure they are compatible with Cloudflare. + +- Check your server's error logs from the timestamps when `525` errors occur to identify any issues causing the connection to be reset during the SSL handshake. \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx new file mode 100644 index 000000000000000..b1669eef4233c5b --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526.mdx @@ -0,0 +1,59 @@ +--- +pcx_content_type: troubleshooting +title: Error 526 +source: null +--- + +## Error 526: invalid SSL certificate + +This error indicates that Cloudflare is unable to verify the SSL certificate on your origin server, preventing a secure connection from being established. + +### Common causes + +This error occurs when these two conditions are true: + +- Cloudflare cannot validate the SSL certificate at your origin web server. +- [_Full SSL (Strict)_](/ssl/origin-configuration/ssl-modes/full-strict/) **SSL** is set in the **Overview** tab of your Cloudflare **SSL/TLS** app. + +#### Error 526 in the Zero Trust context + +When using [Cloudflare Gateway](/cloudflare-one/policies/gateway/), an HTTP Error `526` might be returned in the [following cases](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website): + +- **An untrusted certificate is presented from the origin to Gateway.** Gateway will consider a certificate is untrusted if any of these conditions are true: + + - The server certificate issuer is unknown or is not trusted by the service. + - The server certificate is revoked and fails a CRL check. + - There is at least one expired certificate in the certificate chain for the server certificate. + - The common name on the certificate does not match the URL you are trying to reach. + - The common name on the certificate contains invalid characters (such as underscores). Gateway uses [BoringSSL](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=Google&CertificateStatus=Active&ValidationYear=0) to validate certificates. Chrome's [validation logic](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cert/x509_certificate.cc#429) allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP. + +- **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: + + - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. + - Do not support [FIPS-compliant ciphers](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). + - Redirect all HTTPS requests to HTTP. + +#### Error 526 in the Workers context + +Workers subrequests to any hostname outside your Cloudflare zone that is not proxied by Cloudflare are always made using the **[Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/)** SSL mode, regardless of the Workers zone configuration. + +As a result, a valid SSL certificate is required at the origin server. + +### Resolution + +:::note +For a potential quick fix, set **SSL** to _Full_ instead of _Full (strict)_ in the **Overview** tab of your Cloudflare **SSL/TLS** app for the domain. +::: + +Request your server administrator or hosting provider to review the origin web server's SSL certificates and verify that: + +- Certificate is not expired. +- Certificate is not revoked. +- Certificate is signed by a [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority) (not self-signed). +- The requested or target domain name and hostname are in the certificate's **Common Name** or **Subject Alternative Name**. +- Your origin web server accepts connections over port SSL port `443`. +- [Temporarily pause Cloudflare](/fundamentals/setup/manage-domains/pause-cloudflare/) and visit [https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com](https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com) (replace `www.example.com` with your hostname and domain) to verify no issues exists with the origin SSL certificate: + +![Screen showing an SSL certificate with no errors.](~/assets/images/support/hc-import-troubleshooting_5xx_errors_sslshopper_output.png) + +If the origin server uses a self-signed certificate, configure the domain to use _Full_ _SSL_ instead of _Full SSL (Strict)_. Refer to [recommended SSL settings for your origin](/ssl/origin-configuration/ssl-modes). \ No newline at end of file diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-530.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-530.mdx new file mode 100644 index 000000000000000..cdccfa1debb92e8 --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-530.mdx @@ -0,0 +1,18 @@ +--- +pcx_content_type: troubleshooting +title: Error 530 +source: null +--- + +## Error 530 + +This error indicates that Cloudflare is unable to resolve the origin hostname, preventing it from establishing a connection to the origin server. + +### Common causes + +An HTTP error `530` is returned when Cloudflare is encountering an issue resolving the origin hostname. +In this case the body of the response contains an [1XXX error](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) code. + +### Resolution + +Refer to the specific [1XXX error](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) for troubleshooting information. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/index.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/index.mdx new file mode 100644 index 000000000000000..8ff5effab0be3bb --- /dev/null +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/index.mdx @@ -0,0 +1,91 @@ +--- +pcx_content_type: troubleshooting +title: Cloudflare 5XX errors +source: null +--- + +import { GlossaryTooltip } from "~/components"; + +When troubleshooting most `5XX` errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and gather data. The following sections outline: + +- The [information](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to provide your hosting provider to help resolve the errors +- The steps to access [error analytics](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#error-analytics) in the Cloudflare dashboard. + +:::note + +Cloudflare Support only assists the domain owner to resolve issues. If you are a site visitor, report the problem to the site owner. + +::: + +### Required error details for hosting provider + +When contacting your hosting provider, share the following information: + +- The specific `5XX` error code and message. +- The time and timezone when the `5XX` error occurred. +- The URL that resulted in the HTTP `5XX` error (for example, `https://www.example.com/images/icons/image1.png`). + +The cause of the error is not always found in the origin server's error logs. Be sure to check the logs of any load balancers, caches, proxies, or firewalls between Cloudflare and the origin web server. + +Additional details to provide to your hosting provider or site administrator can be found in the error descriptions below. Note that Cloudflare [Custom Errors](/rules/custom-errors/) can alter the appearance of default error pages discussed in this page. + +### Error analytics + +Error analytics per domain are available within [Zone Analytics](/analytics/account-and-zone-analytics/zone-analytics/). Error analytics provides insights into overall errors by HTTP error code and offers details such as the URLs, source IP addresses, and Cloudflare data centers needed to diagnose and resolve issues. Error Analytics are based on a 1% traffic sample. + +To view Error Analytics: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com). +2. Select your account and domain. +3. Go to **Analytics & Logs**. +4. Select **Add filter**, select **Edge status code** or **Origin status code** and choose any `5xx` error code that you want to diagnose. + +--- + +## Error 500: internal server error + +For a complete discription of this error refer to the [Error 500](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500/) page. + +## Error 502 bad gateway or error 504 gateway timeout + +For a complete discription of this error refer to the [Error 502/504](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-502-504/) page. + +## Error 503: service temporarily unavailable + +For a complete discription of this error refer to the [Error 503](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-503/) page. + +## Error 520: web server returns an unknown error + +For a complete discription of this error refer to the [Error 520](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520/) page. + + +## Error 521: web server is down + +For a complete discription of this error refer to the [Error 521](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521/) page. + +## Error 522: connection timed out + +For a complete discription of this error refer to the [Error 522](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522/) page. + +## Error 523: origin is unreachable + +For a complete discription of this error refer to the [Error 523](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523/) page. + + +## Error 524: a timeout occurred + +For a complete discription of this error refer to the [Error 524](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524/) page. + + +## Error 525: SSL handshake failed + +For a complete discription of this error refer to the [Error 525](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-525/) page. + + +## Error 526: invalid SSL certificate + +For a complete discription of this error refer to the [Error 526](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/) page. + +## Error 530 + +For a complete discription of this error refer to the [Error 530](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-530/) page. From 84b422af623c16f83d1cfd48ad5d4fa523e3bad7 Mon Sep 17 00:00:00 2001 From: Angela Costa Date: Tue, 29 Apr 2025 11:53:23 +0100 Subject: [PATCH 2/2] Corrects link --- .../http-status-codes/cloudflare-5xx-errors/error-500.mdx | 2 +- .../http-status-codes/cloudflare-5xx-errors/error-520.mdx | 2 +- .../http-status-codes/cloudflare-5xx-errors/error-521.mdx | 2 +- .../http-status-codes/cloudflare-5xx-errors/error-522.mdx | 2 +- .../http-status-codes/cloudflare-5xx-errors/error-523.mdx | 2 +- .../http-status-codes/cloudflare-5xx-errors/error-524.mdx | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx index 7f5545675bc4cc6..c4ff0653c86b070 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-500.mdx @@ -14,7 +14,7 @@ The `Error establishing database connection message` is a common HTTP `500` erro ### Resolution -When dealing with most `5XX` errors, the first step is to reach out to your hosting provider or site administrator to help troubleshoot the issue. Share the necessary [error details](#required-error-details-for-hosting-provider) to your hosting provider to assist troubleshooting the issue. +When dealing with most `5XX` errors, the first step is to reach out to your hosting provider or site administrator to help troubleshoot the issue. Share the necessary [error details](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to your hosting provider to assist troubleshooting the issue. However, if the `500` error contains `cloudflare` or `cloudflare-nginx` in the HTML response body, contact [Cloudflare support](/support/contacting-cloudflare-support/) and provide the following details: diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx index 6b7a68446b11c21..a6011eaf942ceaf 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520.mdx @@ -33,7 +33,7 @@ As a temporary workaround, you can set the affected DNS record to [DNS-only](/dn ::: -- Contact your hosting provider or site administrator and share the necessary [error details](#required-error-details-for-hosting-provider) to assist with troubleshooting. Request a review of your origin web server error logs for crashes and check for [common causes](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#common-causes-3) mentioned in the previous section. +- Contact your hosting provider or site administrator and share the necessary [error details](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to assist with troubleshooting. Request a review of your origin web server error logs for crashes and check for [common causes](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520/#common-causes) mentioned in the previous section. - If HTTP/2 is enabled at your origin server, ensure it is correctly set up. Cloudflare connects to servers who announce support of HTTP/2 connections via [ALPN](https://blog.cloudflare.com/introducing-http2). If the origin web server accepts the HTTP/2 connection but then does not respect or support the protocol, an HTTP `520` error will be returned. You can disable the [HTTP/2 to Origin](/speed/optimization/protocol/http2-to-origin/#disable-http2-to-origin) in **Speed** > **Optimization** > **Protocol Optimization** on the Cloudflare dashboard. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx index de6f46652d2f197..4dbdceeff9b8614 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521.mdx @@ -17,7 +17,7 @@ The two most common causes of `521` errors are: ### Resolution -Contact your hosting provider or site administrator and share the necessary [error details](#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: +Contact your hosting provider or site administrator and share the necessary [error details](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: - Ensure your origin web server is responsive. - Review origin web server error logs to identify web server application crashes or outages. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx index cb00b3f1f7ff04c..a484eee86056215 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522.mdx @@ -17,7 +17,7 @@ Two different timeouts cause HTTP error `522` depending on when they occur betwe ### Resolution -- Contact your hosting provider and share the necessary [error details](#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: +- Contact your hosting provider and share the necessary [error details](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to assist in troubleshooting these common causes: - [Cloudflare IP addresses](https://www.cloudflare.com/ips/) are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider allows Cloudflare IP addresses (most common cause). - An overloaded or offline origin web server drops incoming requests. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx index 7a70da274a3a561..3e5bd335c824adb 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-523.mdx @@ -14,7 +14,7 @@ This typically occurs when a network device between Cloudflare and the origin we ### Resolution -Contact your hosting provider and share the necessary [error details](#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: +Contact your hosting provider and share the necessary [error details](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: - Confirm the correct origin IP address is listed for A or AAAA records within your Cloudflare DNS app. - Troubleshoot Internet routing issues between your origin and Cloudflare, or with the origin itself. diff --git a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx index d43f5feffff10f4..ef1db4cbce78234 100644 --- a/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx +++ b/src/content/docs/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524.mdx @@ -25,7 +25,7 @@ established, but does not send a timely response. Here are the options we suggest to work around this issue: - Implement status polling of large HTTP processes to avoid hitting this error. -- [Contact your hosting provider](#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: +- [Contact your hosting provider](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/#required-error-details-for-hosting-provider) to exclude the following common causes at your origin web server: - A long-running process on the origin web server. - An overloaded origin web server.