Problems using Origin TLS certs

I've always used certs created by certbot but learned they are not recommended if you use CF proxy. I recently converted my nginx config to use the origin certs from the CF dashboard. My website login page looks normal but as soon as I try to login it returns Failed to load resource: the server responded with a status of 520 () and Response Status Error Code 520 from /login. This is very confusing to me as this endpoint either returns 401 if you have the wrong credentials or 200 if it logs you in. What could this be?
1 Reply
Tangenius
TangeniusOP10mo ago
This is my nginx.conf:
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {}

http {
include mime.types;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
client_max_body_size 500M;
server_tokens off; # Don't show the nginx version number, a security best practice

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;

server {
listen 443 ssl http2;

ssl_certificate /etc/ssl/certs/rsmono/cert.pem;
ssl_certificate_key /etc/ssl/certs/rsmono/private_key.pem;

server_name <hidden>;

access_log /var/log/nginx/gateway_ssl_access.log; # Access log specific to this server block

# security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin";
add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=()";
add_header Content-Security-Policy "script-src 'self' 'unsafe-eval' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net; object-src 'self'";

location / {
proxy_pass http://127.0.0.1:3000;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

# security measure
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE)$ ) {
return 405;
}
}
}
}
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {}

http {
include mime.types;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
client_max_body_size 500M;
server_tokens off; # Don't show the nginx version number, a security best practice

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;

server {
listen 443 ssl http2;

ssl_certificate /etc/ssl/certs/rsmono/cert.pem;
ssl_certificate_key /etc/ssl/certs/rsmono/private_key.pem;

server_name <hidden>;

access_log /var/log/nginx/gateway_ssl_access.log; # Access log specific to this server block

# security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin";
add_header Permissions-Policy "autoplay=(), encrypted-media=(), fullscreen=(), geolocation=(), microphone=(), midi=()";
add_header Content-Security-Policy "script-src 'self' 'unsafe-eval' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net; object-src 'self'";

location / {
proxy_pass http://127.0.0.1:3000;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

# security measure
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE)$ ) {
return 405;
}
}
}
}
Sometimes I also seem to get 422 (Unprocessable content) I finally found some context when looking in the response: There is an issue between Cloudflare's cache and your origin web server. Cloudflare monitors for these errors and automatically investigates the cause. To help support the investigation, you can pull the corresponding error log from your web server and submit it our support team. Please include the Ray ID (which is at the bottom of this error page). Seems to be related to cache but I just turned off cache and it keeps happening
Want results from more Discord servers?
Add your server