#Getting error 521 stating web server is down; it's definitely not.

If I edit my hosts file to point to my server's IP address when I type the hostname, it loads just fine. Worked for about an hour earlier when I first enabled CloudFlare, before ceasing to work and giving that error.

I am using a Docker application that runs a web server on port 9000, and then a nginx reverse proxy with LetsEncrypt certificate to enable the https:// page. SSL settings in CloudFlare are set to Flexible. Can anybody assist? I just created an account and am trying to get the CDN function to work

If you are the owner of this website:
Contact your hosting provider letting them know your web server is not responding.

lol. I am the host, it's my VPS and I configured it all myself.

I am going to set it back to "DNS only" for now since it renders my site completely useless to my visitors, any help would be appreciated

no response is no response. your server is not responding to the cloudflare proxy.

I configured it all by myself
then you should know how to fix it as well

What port(s) does the proxy listen on? It responds to me if I turn off CloudFlare proxy.

And no, I clearly don't know how to fix it or I wouldn't be asking for help. I'm just saying CloudFlare's comment about "ask your host" doesn't help because I AM the host.

https://developers.cloudflare.com/fundamentals/reference/network-ports/#network-ports-compatible-with-cloudflares-proxy

my server is using 443

let me paste the nginx reverse proxy config

http on port 80, https on port 443

it might help to look at logs of your reverse proxy or docker container...

hm

or run a trace from your cloudflare dashboard

wait, how do I do that

I'm literally new to this whole thing, just signed up yesterday

the HTTP is running on port 9000, not 80. But the reverse proxy makes it HTTPS on 443

which should be fine?

this is ok if your server responds to https traffic

yes

that's why I'm confused at the 521 error

like it works fine if I turn the proxy off and use it as straight DNS

time to start debugging

make sure you are not being served a cached response

🤔

         listen 88;
         server_name   scanner.drfsupercenter.info;
         location / {
                proxy_pass              http://127.0.0.1:9000/;
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_request_buffering off;
                proxy_buffering         off;
                proxy_set_header        Connection keep-alive;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/scanner.drfsupercenter.info/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/scanner.drfsupercenter.info/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot







}```
So here is my nginx config

No idea why that says 88, it works on 443

but it's literally just doing proxy_pass from 9000

nginx access logs not showing anything past 10:31 🤔

rebooting it so it forces it to make new logfiles

Yeah uh, there's nothing in the nginx access log at all once I turn the cloudflare proxy on

It's like cloudflare isn't even trying.

If I bypass DNS, page loads just fine and I see my requests in the log.

you guys got any ideas @wise ginkgo @near violet ? The web server is totally responsive on 443, like I said if I use my hostsfile to bypass DNS it loads just fine. But somehow CloudFlare is just not trying at all, it gives the error 521 and doesn't even attempt to load any content from the page, hence nothing showing up in the access logs

what's your hosting provider

Contabo

It's a VPS, running Debian 12

yeah this is so weird

https://scanner.drfsupercenter.info/static/favicons/navbar.png

what does your cloudflare trace look like

this is just a picture

works fine if I bypass proxy

check the ray id

???? how

go to security

all I saw was this btw

tells me nothing

events

search by Ray id

all I see is the blocks

I set it to block people not in the US

💀

look at the service header as well

every block is from a custom rule

Maybe check those...

where is that?

I turned my rules off just to make sure it's not an issue, but I still get the 521

🦗

is 172.58.120.13 one of the CloudFlare proxy IPs?

172.58.120.13 - - [18/Jul/2024:12:10:09 -0400] "POST /api/get_data HTTP/1.1" 200

I see a bunch of these in the nginx logs

Nope:

How the frick is somebody getting my site to load????

I still get the 521 cloudflare page.

Do you have any ideas? This is bugging me and I'm close to just turning proxy off and abandoning the whole thing

If there's an issue with my nginx config, lmk and I'll fix it

What if you disable SSL on your origin?

hmm

ok, so it proxies to port 88 (HTTP) and 443 (HTTPS). If I turn CloudFlare proxy off, both work. If I turn CloudFlare proxy on, the :88 doesn't work if I set SSL/TLS to "flexible"

I don't think it works when I turn it off either, it just says "error too many redirects"

are you saying I should do port 80 binding?

actually I might try that, hold on

I can't figure out how to make it not auto redirect to HTTPS 😐

hey ok, so I finally figured out how to disable SSL. Bad news, still isn't working. When I use hostfile trick, works just fine using http:// but on every other machine it still tries to redirect to https:// and then gives a browser error for "too many redirects"

I don't even get why...

Tried on a different IP, it's not redirecting to https but still gives ERR_TOO_MANY_REDIRECTS

OH! I think I figured it out. Flexible "Enable encryption only between your visitors and Cloudflare. This avoids browser security warnings, but all connections between Cloudflare and your origin are made through HTTP."

Since the origin server wasn't doing HTTP, and only HTTPS, that explains it

Yeah, I meant leave Cloudflare on Flexible, but completely remove SSL from your origin

Yeah, I got it

Do you know how I can make other ports work? With CloudFlare proxy on, only 80 and 443 work, if I try to load my-domain:9001 for example it doesn't load.

https://developers.cloudflare.com/fundamentals/reference/network-ports/#how-to-enable-cloudflares-proxy-for-additional-ports

Configure a Spectrum application for the hostname running the server. Spectrum supports all ports. Spectrum for all TCP and UDP ports is only available on the Enterprise plan. If you would like to know more about Cloudflare plans, please reach out to your Cloudflare account team.

so basically no?

I'm not paying for enterprise

I don't get why it can't just "grey cloud" stuff outside the standard ports

Because you either use Cloudflare for everything on a given subdomain, or you use it for nothing

You can't tell a client to use Cloudflare for these ports, and your server for these other ports

I get that, but why can't it just point straight to my server (bypassing the cloud cache) for ports it doesn't support?

Instead of just blocking traffic

Because the IPs that Cloudflare uses to serve your traffic are shared by many other customers. You can sort which customer should receive which request with HTTP, but you can't do that with arbitrary TCP/UDP services

Which means you need to dedicate an IP to each customer that wants this service(which is what Spectrum does)

what? I thought the whole point of CloudFlare was to cache content on multiple servers. You should be able to bypass it and just connect directly to the host server, like what I did by modifying the hosts file

You can selectively bypass the cache, but you can't selectively bypass the proxy. This is the same as with nginx

ok but with nginx you can just tell it to listen on more ports...

Yes, but if 2k customers all share the same IP address, and I receive a connection on port 9000, how do I know how to route it to your server?

the same way it knows to load assets directly from my server when they aren't cached 🤔

🍎 == ?

You can do SRV records to redirect all ports used to another subdomain

Is what you normally do on mc to run the website protected but have joinable mc server without spectrum

mc?