Weird intermittent HTTP 526 Error, different subdomain is requested
On my webserver I occasionally (about 1 in 20 requests) get an HTTP Error 526 that I can't figure out. If I request the same URL in a browser, about 1 in 20 requests will return an error 526. I checked the SSL config with various tools and it seems fine (also works the majority of times).
I then enabled the SSL debug in apache2 and found that the requests that fail do so, because for some reason it requests a different subdomain which on this server there is no SSL certificate installed. So all the requests (sub1.mydomain.com) work fine but although I request the exact same URL suddenly I can see another subdomain is requested (sub2.mydomain.com) which I also own and operate but on a different server. Since this server can't provide an SSL certificate for that subdomain, the request fails and I get an error 526. I have no idea what happens here and how to debug this error. To me right now the only explanation is, that the Cloudflare cashing somehow messes with the subdomains and requests... Can anybody help?
33 Replies
Can you tell from your logs when this issue started?
And could you also share the domain so I can try to reproduce the issue?
I first noted it on February 4th but it then disappeared a day or so after without any action I took, now it reappeared today
Could you give a specific time for today?
I can't, I noticed around 2 hours ago but I don't know if it occured before
maybe another important information I noticed: this happens across multiple subdomains that go trhoug cloudflare and multiple servers
And can you share a domain on which I can reproduce?
the domains are very restricted by country/origin and provider, I doubt you can access them
do you have a support ticket open about this which identifies the domains?
I don't. Discord is my first support approach I have taken with this issue. I use a free plan so far.
Do your logs contain the Cloudflare RayID?
They do not.
Looking into changing that.
it would be helpful for cf employees to be able to pinpoint the issue if you could share the domain
here, in DMs, me or directly to them is fine
I will share to you in DM
I think it would be best if you could create a ticket in which you mention the domain, the RayID of a 526 that you receive as well as server logs that show that the specific request had a wrong host header/SNI.
If you then share the ticket nr here, someone will look into it.
Thanks. I have trouble navigating the support section, I thought on a free plan I cannot open a ticket?
You can create a ticket with the account category.
Thanks for your help so far. I will create a ticket tomorrow and work on providing the necessary logs but it is late here already for me.
Sure, good night!
Hey there. I'm having trouble getting the cloudflare ray id into the log where I need it to be
The ray id only shows up in the access.log in my apache web server but not in the debug log (which goes to a different file)
Anyhow, I added a case 01409336
https://support.cloudflare.com/support/s/case/500Nv00000KL5R7IAL
it's okay, we found the logs already, but it's origin related so we'll follow up via the support case
Just for my understanding, what do you mean by "origin related" and what is a timeframe I can expect to have this issue resolved? Just to have an idea to decide if I apply a temporary workaround and to inform the people who are affected
ah sorry, I've been ooo the past week (and on a boat, away from the internet). the origin is the thing cloudflare is configured to connect to when it needs to fetch content.
I'll make a mental note to chase this one down when I'm back on Tuesday. I know what's happening so it's just a question of how soon a fix will be shipped
Great, thank you! Enjoy your vacation!
I had a look at the tracking bug for the underlying issue and the fix has probably gone out by now, see if you can still detect the problem anywhere
(I totally had a workaround but you might just not need it)
Thanks a lot! So far it looks good to me, will keep an eye on the log files. Out of curiosity, how would you work around this? Changing the ssl mode from strict to full is what I tested and what seemed to help
Same here and with multiple domains and CF keeps telling its not their problem when i proved it is
got a ticket?
The issue from above is resolved but happy to take a look at yours
it started 11 Am London time. I noticed most of my domains in CF not working with timeout. Then some of them would give errors like 502. Then it started flapping. I opened a case from CF and told that I must be stupid and should check if the server is running and .. all that crap. I PAY 1500$ TO YOU SO YOU TELL ME TO F*CK OFF WHEN I HAVE A PROBLEM?
I'm literally here asking so I can take a look :p
I was told that this could be due to spain blocking CF ips, since some of them where used for ilegal footbal stream.
Reddit
From the CloudFlare community on Reddit: I can't access 60% of the ...
Explore this post and more from the CloudFlare community
the workaround would be to put more hostnames on the origin ssl cert. but it shouldn't matter now it's fixed
(one specific thing was picking a different ssl hostname than the one you were expecting, and has been fixed)
Cool. Thank you a lot!
We are experiencing the same issue on our production server, (starting around Feb 4th) however, we are not experiencing this issue on our staging server. The two environments are identical, but taking a quick look, the certificate on our production environment is now issued by Google Trust Services whereas the certificate on staging is issued by Let’s Encrypt.
Around 12 AM EDT on Wed the 12th, I can see from our server logs that this issue has effectively gone away.