Categories
How It Is

CloudFlare Experiment Ends Weirdly

After five months of CloudFlare, I’ve turned it off. Unsatisfied.

I ended up turning it all off for one reason only.

I keep getting a 522 error on cloudflare.com.

Now. I have a working theory that it happens when I’m hitting my own site a lot (be it for development or as recently, a lot of traffic I need to reply to), but what would happen is I got an error 522 on my sites. So I’d go to cloudflare.com to whitelist my IP, since their explanation of “This means your site is down” was wrong (site was up, I was ssh’d in at the time), and I’d get a 522 on cloudflare.com.

Let me roll back to August 1st.

That night I went to make some changes on my site to the CSS and, instead of turning on Dev Mode in CloudFlare, I did my thing with Git, pushed my changes, dumped the cache of that CSS file, and was prepared to smile at my glory. Nope! I got a 522. This was odd, since I was currently on the server via SSH and the load on the box was 0.3. Naturally I went to support.cloudflare.com to try and see if I’d missed some directions only to get a 522 there as well.

Track that for a second. I got a 522 on CloudFlare’s domain.

The possible answers I could come up with, since I couldn’t read any of their documentation, as either my IP was blocked or the cache server I was proxying through was down. Since I could log into the dashboard for my accounts, I went in and tried to guess how to whitelist my IP. I couldn’t find that, so I opened a support request:

I can’t access support.cloudflare.com because of 522s. My IP is 172.249.156.169 – Is there any way I can get whitelisted?

I got reply that it was the wrong place to ask, which I don’t think was correct. One of the solutions (per a Google cache of the support page I couldn’t access, hello) said that you could whitelist your IP to see if that helped. Cool. Except I couldn’t get the part of the page to load that told me where and how that was set.

So I asked for support with the dashboard via the dashboard support panel. Instead I got someone telling me I had to open a new ticket. And he was incapable of transferring my ticket or saying “Hey, you can’t access the right support place, let me make a ticket for you! Sorry about that.” It was akin to telling me to email them to tell them my email was down.

I fumed. And then I kept clicking until I found the place to enter my IP. I did and magically CloudFlare started working for me! I quickly went and opened a ticket to complain that I couldn’t have a ticket transferred (or made for me), and suggested this:

If someone’s logged in via the dashboard and they’re getting a 522 on ALL Cloudflare sites, it’s a logical assumption that something blocked them. But if I can log in, the odds are I’m really me, so that should get an auto-whitelist. If that isn’t possible, can it be detected and alerted? “Hey, we noticed your IP is blocked. Would you like to white list it, since you’ve logged in we can be reasonably sure you’re not an asshat?”

They replied with a standard ‘A 522 means…’ and told me to whitelist their servers on my server firewall. For some reason the email didn’t get to me, so I made a new ticket.

In this ticket, I had to wait until I got another 522 (end of August) and when I sent in my error ID and a screenshot, I was told this:

This was a timeout between our cache server and the origin server that hosts support.cloudflare.com.

I think he actually meant “Our cache server was down.” because at that time I couldn’t get to any CF hosted site until I rebooted my router and got a new IP.

I don’t really buy this, though, and I think their IP block is too aggressive. I would run into it all the time when I was at a hotel. I’d be reading comments on my own sites and get blocked. And every single time I got blocked, it was from all of my domains and cloudflare.com. Sketchy as hell to me.

When I added in the problem that ‘always up’ actually meant if your site was down they’d put up a CloudFlare page to apologize for the site being down, I decided to turn it off. It clearly wasn’t helping me as much as I’d hoped.

This isn’t to say CloudFlare is terrible and you should never use it, just that it proved to be too frustrating for me to want to use.

3 replies on “CloudFlare Experiment Ends Weirdly”

CF is pretty weird… I like some things about it, really loathe others… I use it (and love it) regardless for one reason:

HTTPS for several hundred domains and growing… I am proponent of a (mostly) https web and CF’s free offering is pretty stellar compared to any other option I know of in making that happen right now…

LetsEncrypt.org is very promising, however it seems like there is some ways to go before its easier/better than using CF for most folks…

I’m hoping cPanel gets going on support for LetsEncrypt already as that would really help move things along…
https://features.cpanel.net/topic/provide-support-for-lets-encrypt-automated-certificate-management-ssl

This sort of thing worries me about CloudFlare. I try to keep its settings to the bare minimum for fear of such problems, and also disable its minification services because I’ve seen them break too many things subtly.

Q: do you have fail2ban auto-blacklisting “suspicious” IPs on CloudFlare? Just wondering if perhaps that could be a factor. I use fail2ban with nginx logs and the CloudFlare action for fail2ban, and it does a great job of propagating blacklisted IPs to CloudFlare, but of course you need to have whitelisted your own IP address first or you can be hit with just your scenario.

As with Max above, I’m grateful for CloudFlare’s free SSL certificates, and it does a great job relieving load from image-heavy websites. I just don’t trust its “extra” features too much, after seeing weird stuff on client sites where the client has turned on “neat features”.

Hey Mika.

I’ve been experimenting with options for global caching. I discovered this service: http://section.io.

Section offers global varnish service. It’s different from cloudflare, but the promised results are similar.

One cool thing: they are very approachable. When I was visiting their site, one of those little chat boxes with a service rep popped up. The rep asked me if I had questions. I asked the question, and the rep wasn’t sure how to answer them. So he arranged a skype conversation between me and one of their engineers.

The engineer spent a good amount of time with me, answering my questions and helping me to understand how their service works and how it could work for me.

I’d suggest checking them out.

Comments are closed.