ah opps the worker to worker case wouldn
ah opps the worker to worker case wouldn't be a 521 anyway.
so your worker is fetching another subdomain? If the other subdomain is unproxied, it's worth noting the worker fetch request goes through the full cdn pipeline as if it was proxied. A Common issue is your SSL/TLS Mode (under SSL/TLS -> Overview) is Flexible, so the Worker's trying to connect to your origin over http/80 and your origin only supports https/443, need full or full (strict). Otherwise 521 is a generic connection refused (could be firewall/etc). I assume it works fine not through the worker
19 Replies
I'm fetching using https://b.domain.com, I assume it's in HTTPS then.
Switching here to avoid flooding
How do you configure ssl/tls mode?
On the domain/zone in Cloudflare, SSL/TLS -> Overview
Gotcha, currently on the doc
Thx
I'm checking with the person who has the rights to manage the zone 😉
Worth double checking though: The subdomain
b.domain.com is unproxied right? I am assuming it also works fine not through the worker?Yes
It's working well outside the worker
And it works when running the worker locally
doesn't apply zone config/go through full cdn in local dev
You could try verifying the issue yourself by sending an http/80 request to b.domain.com, and seeing response
but yea, the weird sort of confusing bit is local dev just sends the request out like a normal request. But on a deployed worker, a fetch request from a worker goes through the whole proxied pipeline as if you made that subdomain proxied. So you get all your config applied.
Failed to connect to b.domain.com port 80 after 59 ms: Couldn't connect to server
So I assume if it goes in HTTP it does return 521 on cloudflareYea, sounds like it's indeed your SSL/TLS mode then. Flexible is downgrading the request to http/80, need ssl. Worth noting that changing that setting would also effect other proxied records on that zone, if you have any
I have a lot of them
I'm quite confused about how impactful it can be
So Flexible does this
Client -> HTTP|HTTPS -> Cloudflare -> HTTP -> Origin
Flexible is insecure, it's plaintext to origin. The only secure ssl/tls mode settings are Full (Strict) or Strict (SSL Only), the latter of which won't make a difference if you have redirects to https on
For your origins to work under Full (Strict) or Strict (SSL-only), they will need to respond on 443 with a valid, non-expired certificate. This can be from any major CA or from Cloudflare's Origin Certs. It shouldn't be a big ordeal in a perfect world, but it depends on your config
And if I put my worker as a.a.domain.com ? Would it be able to perform such call ?
Nesting it one subdomain deeper? wouldn't change anything
Since it's internal I might just change domain.com with domain.io
If it's a big deal to change your ssl/tls mode you should be able to make a configuration rule targeting
b.domain.com changing SSL/TLS modeHooo
Interesting
.. but you really shouldn't ever use Flexible in production eitherway. It's lying to your visitors about security, requests could be MITM'd and responded with bogus stuff, or if anything is sensitive is sent, obviously not secure
I note it!