Troubleshooting 1000 class errors
1000 class errors will appear in the HTML body of the response. HTTP 409, 530, 403, and 429 errors are the HTTP error codes returned in the HTTP status header of a response.
Error 1000: DNS points to prohibited IP
CIS halted the request for one of the following reasons:
- An A record within your CIS DNS points to a CIS IP address.
- Your CIS DNS A or CNAME record references another reverse proxy (such as an nginx web server that uses the proxy_pass function) that then proxies the request to CIS a second time.
- The request X-Forwarded-For header is longer than 100 characters.
- The request includes two X-Forwarded-For headers.
Resolution
- If an A record within your CIS DNS points to a CIS IP address, update the IP address to your origin web server IP address.
- There is a reverse-proxy at your origin that sends the request back through the CIS proxy. Instead of using a reverse-proxy, contact your hosting provider or site administrator to configure an HTTP redirect at your origin.
Error 1001: DNS resolution error
Common causes for 1001 errors are:
- A web request was sent to a CIS IP address for a non-existent CIS domain.
- An external domain that is not on using CIS has a CNAME record to a domain active on CIS
- The target of the DNS CNAME record does not resolve.
- A CNAME record in your CIS DNS requires resolution via a DNS provider that is currently offline.
Resolution
A non-CIS domain cannot CNAME to a CIS domain unless the non-CIS domain is added to a CIS account.
Attempting to directly access DNS records used for CIS CNAME setups also causes error 1001.
Error 1002: DNS points to prohibited IP
Common causes for 1002 errors when a DNS points to a prohibited IP address are:
- A DNS record in your CIS DNS points to one of CIS's IP addresses.
- An incorrect target is specified for a CNAME record in your CIS DNS.
- Your domain is not on CIS but has a CNAME that refers to a CIS domain.
Resolution
Update your CIS A or CNAME record to point to your origin IP address instead of a CIS IP address:
- Contact your hosting provider to confirm your origin IP address or CNAME record target.
- Log in to your CIS account.
- Select the domain that generates error 1002.
- Select the DNS app.
- Click Value for the A record to update.
- Update the A record.
To ensure your origin web server doesn’t proxy its own requests through CIS, configure your origin webserver to resolve your CIS domain to:
- The internal NAT-ed IP address, or
- The public IP address of the origin web server.
Error 1002: Restricted
The most common cause of 1002: Restricted errors is when the CIS domain resolves to a local or disallowed IP address or an IP address not associated with the domain.
Resolution
If you own the website:
- Confirm your origin web server IP addresses with your hosting provider
- Log in to your CIS account
- Update the A records in the CIS DNS to the IP address confirmed by your hosting provider
Error 1003 Access denied: Direct IP access not allowed
The most common cause of 1003 errors is when a client or browser directly accesses a CIS IP address.
Resolution
Browse to the website domain name in your URL instead of the CIS IP address.
Error 1004: Host not configured to serve web traffic
Common causes of 1004 errors are:
- CIS staff disabled proxying for the domain due to abuse or terms of service violations.
- DNS changes have not yet propagated or the site owner’s DNS A records point to CIS IP addresses.
Resolution
If the issue persists beyond 5 minutes, contact CIS support.
Errors 1006, 1007, 1008 or 1106 Access denied: Your IP address has been banned
Common causes for errors 1006, 1007, and 1008 errors are:
- A CIS customer blocked traffic from your client or browser.
- Error 1006 also occurs in the CIS Edge Functions under the Preview tab when a customer uses Zone Lockdown or any other CIS security feature to block the Google Cloud Platform IPs that the Preview tab relies upon.
Resolution
Request the website owner to investigate their CIS security settings or allow your client IP address. Because the website owner blocked your request, CIS support cannot override a customer’s security settings.
Errors 1009 Access denied: Country or region banned
A common cause of 1009 errors is when the owner of the website (for example, example.com
) has banned the country or region your IP address in from accessing the website.
Resolution
Ensure your IP address is allowed under the IP Access Rules security feature.
Error 1010: The owner of this website has banned your access based on your browser's signature
A common cause of 1010 errors is when a website owner blocks your request based on your client's web browser.
Resolution
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database. Site owners disable Browser Integrity Check via the Security Advanced tab.
Because the website owner performed the blocking, CIS support cannot override a customer’s security settings.
Error 1011: Access denied (Hotlinking denied)
A common cause of 1011 errors is when a request is made for a resource that uses CIS hotlink protection.
Resolution
Notify the website owner of the blocking. If you cannot determine how to contact the website owner, lookup contact information for the domain via the Whois database.
Because the website owner performed the blocking, CIS support cannot override a customer’s security settings.
Error 1012: Access denied
A common cause of 1012 errors is when a website owner forbids access based on malicious activity detected from the visitor’s computer or network (ip_address
). The most likely cause is a virus or malware infection on the visitor’s
computer.
Resolution
Update your antivirus software and run a full system scan. CIS cannot override the security settings the site owner has set for the domain. To request website access, contact the site owner to allow your IP address. If you cannot determine how to contact the website owner, look up contact information for the domain by using the Whois database.
Because the website owner performed the blocking, CIS support cannot override a customer’s security settings.
Error 1013: HTTP hostname and TLS SNI hostname mismatch
A common cause of 1013 errors is when the hostname sent by the client or browser via Server Name Indication (SNI) does not match the request host header.
Error 1013 is commonly caused by the following:
- your local browser setting the incorrect SNI host header
- a network proxying SSL traffic caused a mismatch between SNI and the Host header of the request.
Resolution
Test for an SNI mismatch via an online tool such as SSL Shopper.
Provide CIS Support a HAR file captured while duplicating the error.
Error 1014: CNAME cross-user banned
By default, CIS prohibits a DNS CNAME record between domains in different CIS accounts. CNAME records are permitted within a domain (www.example.com
CNAME to api.example.com
) and across zones within the same user account
(www.example.com
CNAME to www.example.net
).
Resolution
To allow CNAME record resolution to a domain in a different CIS account, the domain owner of the CNAME target must contact CIS Support and specify the domains allowed to CNAME to their target domain.
Error 1015: You are being rate limited
A common cause of 1015 errors is when the site owner implemented Rate Limiting that affects your visitor traffic.
Unable to purge is another 1015 error code relating to CIS cache purge. Retry the cache purge and contact CIS support if errors persist.
Resolution
- If you are a site visitor, contact the site owner to request exclusion of your IP from rate limiting.
- If you are the site owner, review CIS Rate Limiting thresholds and adjust your Rate Limiting configuration.
- If your Rate Limiting blocks requests in a short time period (for instance, 1 second) try increasing the time period to 10 seconds.
For guidance on when you expect a new Edge function to exceed rate limits, see Working wiht Edge functions.
Error 1016: Origin DNS error
Error 1016 occurs when CIS cannot resolve the origin web server’s IP address.
Common causes for Error 1016 are:
- A missing DNS A record that mentions origin IP address.
- A CNAME record in the CIS DNS points to an unresolvable external domain.
- The origin host names (CNAMEs) in your CIS Load Balancer default, region, and fallback pools are unresolvable. Use a fallback pool configured with an origin IP as a backup in case all other pools are unavailable.
- When creating a Range app with a CNAME origin, you need first to create a CNAME on the CIS DNS side that points to the origin.
Resolution
To resolve an error 1016:
- Verify your CIS DNS settings include an A record that points to a valid IP address that resolves via a DNS lookup tool.
- For a CNAME record pointing to a different domain, ensure that the target domain resolves via a DNS lookup tool.
Error 1018: Could not find host
Common causes of an 1018 error are:
- The CIS domain was recently activated and there is a delay propagating the domain’s settings to the CIS edge network.
- The CIS domain was created via a CIS partner (for example, a hosting provider) and the provider's DNS failed.
Error 1018 is returned via an HTTP 409 response code.
Resolution
Contact Support with the following details:
- Your domain name
- A screenshot of the 1018 error including the RayID mentioned in the error message
- The time and timezone the 1018 error occurred
Error 1019: Compute server error
A common cause of error 1019 is when a CIS Edge function script recursively references itself.
Resolution
Ensure your CIS Edge function does not access a URL that calls the same Edge function script.
Error 1020: Access denied
A common cause of an error 1020 is when a client or browser is blocked by a CIS customer’s firewall rules.
Resolution
If you are not the website owner, provide the website owner with a screenshot of the 1020 error message you received.
If you are the website owner:
- Retrieve a screenshot of the 1020 error from your customer
- Search the Firewall Events Log within the Overview tab of your Firewall app for the RayID or client IP Address from the visitor’s 1020 error message.
- Convert the UTC timestamp of the 1020 error to your local timezone when searching in the Firewall Events Log.
- Assess the cause of the block and either update the Firewall Rule or allow the visitor’s IP address in IP Access Rules.
Error 1023: Could not find host
Common causes of an error 1023 are:
- If the owner just signed up for CIS it can take a few minutes for the website's information to be distributed to our global network.
- Something is wrong with the site's configuration. Usually, this happens when accounts have been signed up with a partner organization (for example, a hosting provider) and the provider's DNS fails.
Error 1023 is returned via a HTTP 409 response code.
Resolution
Contact Support with the following details:
- Your domain name
- A screenshot of the 1023 error including the RayID mentioned in the error message
- The time and timezone the 1023 error occurred
Error 1025: Please check back later
A common cause of error 1025 is when a request is not serviced because the domain has reached plan limits for Edge functions.
Resolution
Contact Support to adjust the limits for Edge functions.
Error 1035: Invalid request rewrite (invalid URI path)
Common causes of error 1035 are when the value or expression of your rewritten URI path is not valid, and when the destination of the URL rewrite is a path under /cdn-cgi/
.
Resolution
Make sure that the rewritten URI path is not empty and that it starts with a /
(slash) character.
For example, the following URI path rewrite expression is not valid:
concat(lower(ip.geoip.country), http.request.uri.path)
To fix the expression, add a /
prefix:
concat("/", lower(ip.geoip.country), http.request.uri.path)
Error 1036: Invalid request rewrite (maximum length exceeded)
A common cause of error 1036 is when the value or expression of your rewritten URI path or query string is too long.
Resolution
Use a shorter value or expression for the new URI path/query string value.
Error 1037: Invalid rewrite rule (failed to evaluate expression)
A common cause of error 1037 is when the expression of the rewrite rule could not be evaluated. There are several causes for this error, but it can mean that one expression element contained an undefined value when it was evaluated.
For example, you get a 1037 error when using the following URL rewrite dynamic expression and the X-Source header is not included in the request:
http.request.headers["x-source"][0]
Resolution
Make sure that all the elements of your rewrite expression are defined. For example, if you are referring to a header value, ensure the header is set.
Error 1040: Invalid request rewrite (header modification not allowed)
A common cause of error 1040 is when you are trying to modify an HTTP header that HTTP Request Header Modification Rules cannot change.
Resolution
Make sure you are not trying to modify one of the reserved HTTP request headers.
Error 1041: Invalid request rewrite (invalid header value)
A common cause of error 1041 is when the added/modified header value is too long or it contains characters that are not allowed.
Resolution
- Use a shorter value or expression to define the header value.
- Remove the characters that are not allowed. See Format of HTTP request header names and values in Developer Docs for more information on the allowed characters.
Error 1101: Rendering error
A common cause of error 1101 is when an CIS Edge function throws a runtime JavaScript exception.
Resolution
Provide appropriate issues details to Support.
Error 1102: Rendering error
A common cause of error 1102 is when an Edge function exceeds a CPU time limit. CPU time is the time spent executing code (for example, loops, parsing JSON, etc). Time spent on network requests (fetching, responding) does not count towards CPU time.
Resolution
Contact the developer of your Edge function code to optimize code for a reduction in CPU usage in the active Edge function scripts.
Error 1200: Cache connection limit
Error 1200 occurs when there are too many requests queued on the edge that are awaiting process by your origin web server. This limit protects CIS's systems.
Resolution
Tune your origin webserver to accept incoming connections faster. Adjust your caching settings to improve cache-hit rates so that fewer requests reach your origin web server. Reach out to your hosting provider or web administrator for assistance.