Getting error 521 stating web server is down; it's definitely not.

If I edit my hosts file to point to my server's IP address when I type the hostname, it loads just fine. Worked for about an hour earlier when I first enabled CloudFlare, before ceasing to work and giving that error. I am using a Docker application that runs a web server on port 9000, and then a nginx reverse proxy with LetsEncrypt certificate to enable the https:// page. SSL settings in CloudFlare are set to Flexible. Can anybody assist? I just created an account and am trying to get the CDN function to work
53 Replies
drfsupercenter
drfsupercenterOP6mo ago
If you are the owner of this website: Contact your hosting provider letting them know your web server is not responding.
lol. I am the host, it's my VPS and I configured it all myself. I am going to set it back to "DNS only" for now since it renders my site completely useless to my visitors, any help would be appreciated
Idle
Idle6mo ago
no response is no response. your server is not responding to the cloudflare proxy.
I configured it all by myself
then you should know how to fix it as well
drfsupercenter
drfsupercenterOP6mo ago
What port(s) does the proxy listen on? It responds to me if I turn off CloudFlare proxy. And no, I clearly don't know how to fix it or I wouldn't be asking for help. I'm just saying CloudFlare's comment about "ask your host" doesn't help because I AM the host.
Hard@Work
Hard@Work6mo ago
Cloudflare Docs
Network ports · Cloudflare Fundamentals docs
Learn which network ports Cloudflare proxies by default and how to enable Cloudflare’s proxy for additional ports.
drfsupercenter
drfsupercenterOP6mo ago
my server is using 443 let me paste the nginx reverse proxy config
Idle
Idle6mo ago
http on port 80, https on port 443 it might help to look at logs of your reverse proxy or docker container...
drfsupercenter
drfsupercenterOP6mo ago
hm
Idle
Idle6mo ago
or run a trace from your cloudflare dashboard
drfsupercenter
drfsupercenterOP6mo ago
wait, how do I do that I'm literally new to this whole thing, just signed up yesterday the HTTP is running on port 9000, not 80. But the reverse proxy makes it HTTPS on 443 which should be fine?
Idle
Idle6mo ago
No description
Idle
Idle6mo ago
this is ok if your server responds to https traffic
drfsupercenter
drfsupercenterOP6mo ago
yes that's why I'm confused at the 521 error like it works fine if I turn the proxy off and use it as straight DNS
Idle
Idle6mo ago
time to start debugging make sure you are not being served a cached response
drfsupercenter
drfsupercenterOP6mo ago
🤔
server {
listen 88;
server_name scanner.drfsupercenter.info;
location / {
proxy_pass http://127.0.0.1:9000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection keep-alive;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/scanner.drfsupercenter.info/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/scanner.drfsupercenter.info/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot







}
server {
listen 88;
server_name scanner.drfsupercenter.info;
location / {
proxy_pass http://127.0.0.1:9000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection keep-alive;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/scanner.drfsupercenter.info/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/scanner.drfsupercenter.info/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot







}
So here is my nginx config No idea why that says 88, it works on 443 but it's literally just doing proxy_pass from 9000
drfsupercenter
drfsupercenterOP6mo ago
No description
drfsupercenter
drfsupercenterOP6mo ago
nginx access logs not showing anything past 10:31 🤔 rebooting it so it forces it to make new logfiles Yeah uh, there's nothing in the nginx access log at all once I turn the cloudflare proxy on It's like cloudflare isn't even trying. If I bypass DNS, page loads just fine and I see my requests in the log. you guys got any ideas @Hard@Work | R2 @Idle ? The web server is totally responsive on 443, like I said if I use my hostsfile to bypass DNS it loads just fine. But somehow CloudFlare is just not trying at all, it gives the error 521 and doesn't even attempt to load any content from the page, hence nothing showing up in the access logs
Idle
Idle6mo ago
what's your hosting provider
drfsupercenter
drfsupercenterOP6mo ago
Contabo It's a VPS, running Debian 12 yeah this is so weird https://scanner.drfsupercenter.info/static/favicons/navbar.png
Idle
Idle6mo ago
what does your cloudflare trace look like
drfsupercenter
drfsupercenterOP6mo ago
this is just a picture works fine if I bypass proxy
Idle
Idle6mo ago
check the ray id
drfsupercenter
drfsupercenterOP6mo ago
???? how
Idle
Idle6mo ago
go to security
drfsupercenter
drfsupercenterOP6mo ago
all I saw was this btw
No description
drfsupercenter
drfsupercenterOP6mo ago
tells me nothing
Idle
Idle6mo ago
events search by Ray id
Idle
Idle6mo ago
No description
drfsupercenter
drfsupercenterOP6mo ago
all I see is the blocks
No description
drfsupercenter
drfsupercenterOP6mo ago
I set it to block people not in the US
Idle
Idle6mo ago
💀 look at the service header as well every block is from a custom rule Maybe check those...
drfsupercenter
drfsupercenterOP6mo ago
where is that? I turned my rules off just to make sure it's not an issue, but I still get the 521 🦗 is 172.58.120.13 one of the CloudFlare proxy IPs?
172.58.120.13 - - [18/Jul/2024:12:10:09 -0400] "POST /api/get_data HTTP/1.1" 200
172.58.120.13 - - [18/Jul/2024:12:10:09 -0400] "POST /api/get_data HTTP/1.1" 200
I see a bunch of these in the nginx logs
Hard@Work
Hard@Work6mo ago
Nope:
No description
drfsupercenter
drfsupercenterOP6mo ago
How the frick is somebody getting my site to load???? I still get the 521 cloudflare page. Do you have any ideas? This is bugging me and I'm close to just turning proxy off and abandoning the whole thing If there's an issue with my nginx config, lmk and I'll fix it
Hard@Work
Hard@Work6mo ago
What if you disable SSL on your origin?
drfsupercenter
drfsupercenterOP6mo ago
hmm ok, so it proxies to port 88 (HTTP) and 443 (HTTPS). If I turn CloudFlare proxy off, both work. If I turn CloudFlare proxy on, the :88 doesn't work if I set SSL/TLS to "flexible" I don't think it works when I turn it off either, it just says "error too many redirects" are you saying I should do port 80 binding? actually I might try that, hold on I can't figure out how to make it not auto redirect to HTTPS 😐 hey ok, so I finally figured out how to disable SSL. Bad news, still isn't working. When I use hostfile trick, works just fine using http:// but on every other machine it still tries to redirect to https:// and then gives a browser error for "too many redirects"
drfsupercenter
drfsupercenterOP6mo ago
I don't even get why...
No description
drfsupercenter
drfsupercenterOP6mo ago
Tried on a different IP, it's not redirecting to https but still gives ERR_TOO_MANY_REDIRECTS OH! I think I figured it out. Flexible "Enable encryption only between your visitors and Cloudflare. This avoids browser security warnings, but all connections between Cloudflare and your origin are made through HTTP." Since the origin server wasn't doing HTTP, and only HTTPS, that explains it
Hard@Work
Hard@Work6mo ago
Yeah, I meant leave Cloudflare on Flexible, but completely remove SSL from your origin
drfsupercenter
drfsupercenterOP6mo ago
Yeah, I got it Do you know how I can make other ports work? With CloudFlare proxy on, only 80 and 443 work, if I try to load my-domain:9001 for example it doesn't load.
Hard@Work
Hard@Work6mo ago
Cloudflare Docs
Network ports · Cloudflare Fundamentals docs
Learn which network ports Cloudflare proxies by default and how to enable Cloudflare’s proxy for additional ports.
drfsupercenter
drfsupercenterOP6mo ago
Configure a Spectrum application for the hostname running the server. Spectrum supports all ports. Spectrum for all TCP and UDP ports is only available on the Enterprise plan. If you would like to know more about Cloudflare plans, please reach out to your Cloudflare account team.
so basically no? I'm not paying for enterprise I don't get why it can't just "grey cloud" stuff outside the standard ports
Hard@Work
Hard@Work6mo ago
Because you either use Cloudflare for everything on a given subdomain, or you use it for nothing You can't tell a client to use Cloudflare for these ports, and your server for these other ports
drfsupercenter
drfsupercenterOP6mo ago
I get that, but why can't it just point straight to my server (bypassing the cloud cache) for ports it doesn't support? Instead of just blocking traffic
Hard@Work
Hard@Work6mo ago
Because the IPs that Cloudflare uses to serve your traffic are shared by many other customers. You can sort which customer should receive which request with HTTP, but you can't do that with arbitrary TCP/UDP services Which means you need to dedicate an IP to each customer that wants this service(which is what Spectrum does)
drfsupercenter
drfsupercenterOP6mo ago
what? I thought the whole point of CloudFlare was to cache content on multiple servers. You should be able to bypass it and just connect directly to the host server, like what I did by modifying the hosts file
Hard@Work
Hard@Work6mo ago
You can selectively bypass the cache, but you can't selectively bypass the proxy. This is the same as with nginx
drfsupercenter
drfsupercenterOP6mo ago
ok but with nginx you can just tell it to listen on more ports...
Hello, I’m Allie!
Yes, but if 2k customers all share the same IP address, and I receive a connection on port 9000, how do I know how to route it to your server?
drfsupercenter
drfsupercenterOP6mo ago
the same way it knows to load assets directly from my server when they aren't cached 🤔
Idle
Idle6mo ago
🍎 == :orange: ?
Upioti
Upioti6mo ago
You can do SRV records to redirect all ports used to another subdomain Is what you normally do on mc to run the website protected but have joinable mc server without spectrum
drfsupercenter
drfsupercenterOP6mo ago
mc?
Idle
Idle6mo ago
Minecraft
Want results from more Discord servers?
Add your server