Troubleshooting 500 class errors

Error 500 resolution

If the 500 error contains “cloudflare” or “cloudflare-nginx” in the HTML response body, provide support with the following information:

• Your domain ID and instance CRN
• The time and timezone of the 500 error occurrence
• The output of www.example.com/cdn-cgi/trace from the browser where the 500 error was observed (replace www.example.com with your actual domain and host name)

If you observe blank or white pages when visiting your website, confirm whether the issue occurs when temporarily pausing CIS and check your origin logs for more details.

Error 502 resolution

If the 502/504 error is from your origin web server, CIS returns a HTTP 502 or 504 error when your origin web server responds with a standard HTTP 502 bad gateway or 504 gateway timeout error. Check the origin logs to troubleshoot these common causes at your origin web server:

• Ensure the origin server responds to requests for the hostname and domain within the visitor’s URL that generated the 502 or 504 error
• Investigate excessive server loads, crashes, or network failures
• Identify applications or services that timed out or were blocked

If the 502/504 error comes from Cloudflare, provide these required details to Support:

• Time and timezone the issue occurred
• URL that resulted in the HTTP 502 or 504 response (for example: https://www.example.com/images/icons/image1.png)
• Output from browsing to www.example.com/cdn-cgi/trace (replace www.example.com with the domain and host name that caused the HTTP 502 or 504 error)

Error 503 resolution

There are two possible causes discernible by error message:

• If the error doesn’t contain “cloudflare” or “cloudflare-nginx” in the HTML response body, check your origin logs for additional information.
• If the error does contain “cloudflare” or “cloudflare-nginx” in the HTML response body, a connectivity issue occurred in a Cloudflare data center. Provide support with the following information:
  • Your domain ID and instance CRN
  • The time and timezone of the 503 error occurrence
  • The output of www.example.com/cdn-cgi/trace from the browser where the 503 error was observed (replace www.example.com with your actual domain and host name)

Error 520 resolution

A quick workaround while further investigating 520 errors is to either disabling the proxy of the DNS record or temporarily pause CIS.

Check your origin web server error logs for crashes and look for these common causes:

• Origin web server application crashes
• CIS IPs not allowed at your origin
• Headers exceeding 16 KB (typically due to too many cookies)
• An empty response from the origin web server that lacks an HTTP status code or response body
• Missing response headers or origin web server not returning proper HTTP error responses

520 errors are prevalent with certain PHP applications that crash the origin web server.

If HTTP/2 is enabled at your origin web server, make sure that HTTP/2 is correctly configured. A 520 error is returned if the origin web server accepts the HTTP/2 connection but then doesn’t respect or support the protocol. The maximum origin HTTP version can be set under the Advanced tab of the Reliability page in the UI.

If 520 errors continue to occur, provide the following information to Support:

• Full URL(s) of the resource requested when the error occurred
• Cloudflare cf-ray from the 520 error message
• Output from http://www.example.com/cdn-cgi/trace (replace www.example.com with your hostname and domain where the 520 error occurred)
• Two HAR files:
  • one with CIS enabled on your website
  • one with CIS temporarily disabled

Error 521 resolution

Check your origin web server error logs to eliminate these common causes:

• Ensure your origin web server is responsive
• Review origin web server error logs to identify web server application crashes or outages.
• Confirm CIS IP addresses are not blocked or rate limited
• Allow all CIS IP ranges in your origin web server's firewall or other security software
• Confirm that — if you have your TLS mode set to End-to-end flexible, End-to-end CA Signed or HTTPS only origin pull — you have installed a CIS Origin Certificate

Error 522 resolution

Check your origin web server error logs for the following common causes at your origin web server:

• (Most common cause) CIS IP addresses are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm that your origin configuration allows CIS IP addresses
• An overloaded or offline origin web server drops incoming requests
• Keepalives are disabled at the origin web server
• The origin IP address in CIS does not match the IP address currently provisioned to your origin web server
• Packets were dropped at your origin web server

If none of these leads to a resolution, attempt to gather the following information before contacting support:

• An MTR or traceroute from your origin web server to a CIS IP address that most commonly connected to your origin web server before the issue occurred Identify a connecting CIS IP recorded in the origin web server logs
• Any relevant details from the origin logs

Error 523 resolution

Check your origin web server error logs to eliminate these common causes at your origin web server:

• Confirm the correct origin IP address is listed for A or AAAA records
• Troubleshoot internet routing issues between your origin and CIS, or with the origin itself

If none of the previous tips leads to a resolution, request an MTR or traceroute from your origin web server to a CIS IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting CIS IP from the logs of the origin web server.

Error 524 resolution

Check your origin web server error logs to eliminate these common causes at your origin web server:

• A long-running process on the origin web server
• An overloaded origin web server

Logging request response time at your origin web server helps identify the cause of resource slowness.

If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain that is not proxied.

Error 525 resolution

Check your origin web server error logs to eliminate these common causes at your origin web server:

• No valid SSL certificate installed
• Port 443 (or other custom secure port) is not open
• No SNI support
• The cipher suites accepted by Cloudflare do not match the cipher suites supported by the origin web server

If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors. You might be able to get SSL errors in your NginX standard error log, but might need an increased log level.

Error 526 resolution

Set your TLS to End-to-end flexible instead of End-to-end CA Signed or HTTPS only origin pull to see if that fixes the error.

Review the origin web server’s TLS certificates and verify that:

1. The certificate is not expired
2. The certificate is not revoked
3. The certificate is signed by a Certificate Authority (not self-signed)
4. The requested or target domain name and hostname are in the certificate's Common Name or Subject Alternative Name
5. Your origin web server accepts connections over port 443
6. Temporarily pause CIS and go to https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com (replace www.example.com with your hostname and domain) to verify no issues exists with the origin TLS certificate