Cloudflare error 527 triggers due to an interrupt in the connection between Cloudflare and the origin’s Railgun server(rg-listener). This happens due to a firewall block or network issues like packet loss in the connection between Cloudflare and the origin server.
Let us today discuss the possible causes and fixes for this error.
What causes Cloudflare error 527?
The interrupt in the connection between Cloudflare and origin server happens due to a variety of reasons. Some of them to list out are:
- Connection timeouts
- LAN timeout exceeded
- Connection refusals
- TLS/SSL related errors
It then results in the Cloudflare error 527 as shown below.
Let us now look at each of them one by one.
One of the main reasons for the 527 error is a timeout in the connection between Cloudflare and the railgun server. If the Railgun Listener is unable to establish or complete a TCP handshake with the origin server, it records a time out error as shown below in the Railgun logs:
connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout no response from origin (timeout) 0.0.0.0:80/example.com
The first step in fixing this issue would be to verify if the Railgun Listener and the origin server are able to connect directly. For example, the netcat command tests connectivity when it is run from the Railgun Listener to the origin web server’s SERVERIP and PORT.
nc -vz SERVERIP PORT
It can be done by using commands like cURL, ping, or running traceroute/mtr against the web server’s source IP. Ping or nc is helpful to confirm that the web server’s ports are open and accepts traffic from the Listener. This will help to determine if the connection is being accepted from the site’s origin server, or if an issue is present that is impacting the webserver from accepting requests.
Once we confirm the cause for the issue, we could then move on to fix it by editing the required settings.
LAN timeout exceeded
By default, the timeout limit for a server to send an HTTP response to the Listener is thirty seconds. The lan.timeout parameter in the railgun.conf file determines this value. If the origin server does not respond within the specified timeout limit, then the following error would be seen in the Listener logs:
connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout
The lan.timeout parameter of the railgun.conf file determines this time. Also, it would be a good idea to review the webserver configuration as to why the origin is taking a long time to respond to requests from the Listener. In most scenarios, it is also helpful to check the current load/bandwidth on the webserver to confirm if the server is unable to respond efficiently for requests due to overload.
The Railgun logs will show the following errors on the refusal of the requests from the Railgun Listener.
Error getting page: dial tcp 0.0.0.0:80:connection refused
Whitelisting the Listener’s server IP from the origin server’s firewall settings will help to fix this error.
TLS/SSL related errors
The failure of the TLS requests to connect to the origin server from the Railgun Listener, results in the connection failed error. A typical error message in the Railgun Logs would look like:
connection failed 0.0.0.0:443/example.com: remote error: handshake failure connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443:connection refused connection failed 127.0.0.1:443/www.example.com: x509: certificate is valid for example.com, not www.example.com
This can happen due to a variety of reasons. The points to be cross-checked here include:
- Port 443 is open.
- The origin web server has an SSL certificate.
- The SAN or Common Name of the origin web server’s SSL certificate contains the requested hostname.
- SSL is set to Full or Full (Strict) in the Overview tab of the Cloudflare SSL/TLS app
If the origin web server is using a self-signed SSL certificate, we need to set validate.cert=0 in railgun.conf.
In short, Cloudflare error 526 occurs due to an interrupt in the connection between Cloudflare and the origin’s Railgun server(rg-listener).