Diagnose and resolve 5XX errors for Wingsoft proxied sites.


Overview

When troubleshooting most 5XX errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and gather data.

Wingsoft Support only assists the domain owner to resolve issues. If you are a site visitor, report the problem to the site owner.

Required error details to provide your hosting provider

  1. Specific 5XX error code and message
  2. Time and timezone the 5XX error occurred
  3. URL that resulted in the HTTP 5XX error (for example: https://www.example.com/images/icons/image1.png)

The error cause is not always found in the origin server error logs. Check logs of all load balancers, caches, proxies, or firewalls between Wingsoft and the origin web server.

Additional details to provide to your hosting provider or site administrator are listed within each error description below. Wingsoft Custom Error Pages change the appearance of default error pages discussed in this article.


Error analytics

Error Analytics per domain are available within the support portal for your account.  Error Analytics allows insight into overall errors by HTTP error code and provides the URLs, responses, origin server IP addresses, and Wingsoft data centers needed to diagnose and resolve the issue.  Error Analytics are based on a 1% traffic sample.

To view Error Analytics:

  • Navigate to the Wingsoft support portal.  Refer to instructions about filing a support ticket for information on how to reach the support portal.
  • Scroll down to the Error Analytics section.
  • Click Visit Error Analytics.
  • Enter the domain to investigate.
  • A graph of Errors over time is displayed.
  • Click on a status code in the table beneath the graph to expand traffic error details.


Error 500: internal server error

Error 500 generally indicates an issue with your origin web server.  Error establishing database connection is a common HTTP 500 error message generated by your origin web server.  Contact your hosting provider to resolve.

Resolution

Provide details to your hosting provider to assist troubleshooting the issue.

However, if the 500 error contains “wingsoft” or “wingsoft-nginx” in the HTML response body, provide Wingsoft support with the following information:

  1. Your domain name
  2. The time and timezone of the 500 error occurrence
  3. The output of www.example.com/cdn-cgi/trace from the browser where the 500 error was observed (replace www.example.com with your actual domain and host name)

If you observe blank or white pages when visiting your website, confirm whether the issue occurs when temporarily pausing Wingsoft and contact your hosting provider for assistance.


Error 502 bad gateway or error 504 gateway timeout

An HTTP 502 or 504 error occurs when Wingsoft is unable to establish contact with your origin web server.

There are two possible causes:

502/504 from your origin web server

Wingsoft returns an Wingsoft-branded HTTP 502 or 504 error when your origin web server responds with a standard HTTP 502 bad gateway or 504 gateway timeout error:

Screenshot of a Wingsoft-branded error 502

Resolution

Contact your hosting provider to troubleshoot these common causes at your origin web server:

  • Ensure the origin server responds to requests for the hostname and domain within the visitor’s URL that generated the 502 or 504 error.
  • Investigate excessive server loads, crashes, or network failures.
  • Identify applications or services that timed out or were blocked.

502/504 from Wingsoft

A 502 or 504 error originating from Wingsoft appears as follows:

Screenshot of an unbranded error 502

If the error does not mention “wingsoft,” contact your hosting provider for assistance on 502/504 errors from your origin.

Resolution

To avoid delays processing your inquiry, provide these required details to Wingsoft Support:

  1. Time and timezone the issue occurred.
  2. URL that resulted in the HTTP 502 or 504 response (for example: https://www.example.com/images/icons/image1.png)
  3. Output from browsing to www.example.com/cdn-cgi/trace (replace www.example.com with the domain and host name that caused the HTTP 502 or 504 error)


Error 503: service temporarily unavailable

HTTP error 503 occurs when your origin web server is overloaded. There are two possible causes discernible by error message:

  • Error doesn’t contain “wingsoft” or “wingsoft-nginx” in the HTML response body.

Resolution: Contact your hosting provider to verify if they rate limit requests to your origin web server.

  • Error contains “wingsoft” or “wingsoft-nginx” in the HTML response body.

Resolution: A connectivity issue occured in a Wingsoft data center. Provide Wingsoft support with the following information:

  1. Your domain name
  2. The time and timezone of the 503 error occurrence
  3. The output of www.example.com/cdn-cgi/trace from the browser where the 503 error was observed (replace www.example.com with your actual domain and host name)


Error 520: web server returns an unknown error

Error 520 occurs when the origin server returns an empty, unknown, or unexpected response to Wingsoft.

Resolution

A quick workaround while further investigating 520 errors is to either grey cloud the DNS record in the Wingsoft DNS app or temporarily pause Wingsoft.

Contact your hosting provider or site administrator and request a review of your origin web server error logs for crashes and to check for these common causes:

  • Origin web server application crashes
  • Wingsoft IPs not allowed at your origin
  • Headers exceeding 32 KB (typically due to too many cookies)
  • An empty response from the origin web server that lacks an HTTP status code or response body
  • Missing response headers or origin web server not returning proper HTTP error responses

520 errors are prevalent with certain PHP applications that crash the origin web server.

If 520 errors continue after contacting your hosting provider or site administrator, provide the following information to Wingsoft Support:

  • Full URL(s) of the resource requested when the error occurred
  • Wingsoft cf-request-id or cf-ray from the 520 error message
  • Output from http://www.example.com/cdn-cgi/trace (replace www.example.com with your hostname and domain where the 520 error occurred)
  • Two HAR files:


Error 521: web server is down

Error 521 occurs when the origin web server refuses connections from Wingsoft. Security solutions at your origin may block legitimate connections from certain Wingsoft IP addresses.

The two most common causes of 521 errors are:

  • Offlined origin web server application
  • Blocked Wingsoft requests

Resolution

Contact your site administrator or hosting provider to eliminate these common causes:

  • Ensure your origin web server is responsive
  • Review origin web server error logs to identify web server application crashes or outages.
  • Confirm Wingsoft IP addresses are not blocked or rate limited
  • Allow all Wingsoft IP ranges in your origin web server's firewall or other security software
  • Find additional troubleshooting information on the Wingsoft Community.


Error 522: connection timed out

Error 522 occurs when Wingsoft times out contacting the origin web server. Two different timeouts cause HTTP error 522 depending on when they occur between Wingsoft and the origin web server:

  1. Before a connection is established, the origin web server does not return a SYN+ACK to Wingsoft within 15 seconds of Wingsoft sending a SYN.
  2. After a connection is established, the origin web server doesn’t acknowledge (ACK) Wingsoft’s resource request within 90 seconds.

An HTTP 524 error occurs if the origin web server acknowledges (ACK) the resource request after the connection has been established, but does not send a timely response.

Resolution

Contact your hosting provider to check the following common causes at your origin web server:

  • (Most common cause) Wingsoft IP addresses are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider allows Wingsoft IP addresses.
  • An overloaded or offline origin web server drops incoming requests.
  • Keepalives are disabled at the origin web server.
  • The origin IP address in your Wingsoft DNS app does not match the IP address currently provisioned to your origin web server by your hosting provider.
  • Packets were dropped at your origin web server.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before contacting Wingsoft support:

  • An MTR or traceroute from your origin web server to a Wingsoft IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Wingsoft IP recorded in the origin web server logs.
  • Details from the hosting provider’s investigation such as pertinent logs or conversations with the hosting provider.


Error 523: origin is unreachable

Error 523 occurs when Wingsoft cannot contact your origin web server. This typically occurs when a network device between Wingsoft and the origin web server doesn’t have a route to the origin’s IP address.

Resolution Contact your hosting provider to exclude the following common causes at your origin web server:

  • Confirm the correct origin IP address is listed for A or AAAA records within your Wingsoft DNS app.
  • Troubleshoot Internet routing issues between your origin and Wingsoft, or with the origin itself.

If your hosting provider frequently changes your origin web server’s IP address, refer to Wingsoft’s documentation on dynamic DNS updates.

If none of the above leads to a resolution, request the following information from your hosting provider or site administrator:

  • An MTR or traceroute from your origin web server to a Wingsoft IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Wingsoft IP from the logs of the origin web server.
  • If you use Railgun via a Wingsoft Hosting Partner, contact your hosting provider to troubleshoot the 523 errors.
  • If you manage your Railgun installation, provide the following to:
    • traceroute to your origin web server from your Railgun server.
    • The most recent syslog file from your Railgun server.


Error 524: a timeout occurred

Error 524 indicates that Wingsoft successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 second connection timed out.

Enterprise customers can increase the 524 timeout up to 600 seconds.

Resolution Contact your hosting provider to exclude the following common causes at your origin web server:

  • A long-running process on the origin web server.
  • An overloaded origin web server.

Logging request response time at your origin web server helps identify the cause of resource slowness. Contact your hosting provider or site administrator for assistance in adjusting log formats or search for related logging documentation for your brand of web server such as Apache or Nginx.

If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Wingsoft DNS app.

If error 524 occurs for a domain using Wingsoft Railgun, ensure the lan.timeout is set higher than the default of 30 seconds and restart the railgun service.


Error 525: SSL handshake failed

525 errors are often caused by a configuration issue on the origin web server. Error 525 occurs when these two conditions are true:

  1. The SSL handshake fails between Wingsoft and the origin web server, and
  2. Full or Full (Strict) SSL is set in the Overview tab of your Wingsoft SSL/TLS app.

Resolution

Contact your hosting provider to exclude the following common causes at your origin web server:

  • No valid SSL certificate installed
  • Port 443 (or other custom secure port) is not open
  • No SNI support
  • The cipher suites accepted by Wingsoft does not match the cipher suites supported by the origin web server

If 525 errors occur intermittently, review the origin web server error logs to determine the cause. Configure Apache to log mod_ssl errors. Also, nginx includes SSL errors in its standard error log, but may possibly require an increased log level.


Error 526: invalid SSL certificate

Error 526 occurs when these two conditions are true:

  1. Wingsoft cannot validate the SSL certificate at your origin web server, and
  2. Full SSL (Strict) SSL is set in the Overview tab of your Wingsoft SSL/TLS app.

Resolution

For a potential quick fix, set SSL to Full instead of Full (strict) in the Overview tab of your Wingsoft SSL/TLS app for the domain.

Request your server administrator or hosting provider to review the origin web server’s SSL certificates and verify that:

Old URL: https://www.wingsoft.it/hc/article_attachments/360040118532/troubleshooting_5xx_errors_sslshopper_output.png
    Article IDs: 115003011431 | Troubleshooting Wingsoft 5XX errors

If the origin server uses a self-signed certificate, configure the domain to use Full SSL instead of Full SSL (Strict). Refer to recommended SSL settings for your origin.


527 Error: Railgun Listener to origin error

A 527 error indicates an interrupted connection between Wingsoft and your origin's Railgun server (rg-listener). Common causes include:

  • Firewall interference
  • Network incidents or packet loss between the Railgun server and Wingsoft

For additional details to aid troubleshooting, increase Railgun logging.

Common causes of 527 errors include:

If contacting Wingsoft support, provide the following information from the Railgun Listener:

  • The full content of the railgun.conf file
  • The full content of the railgun-nat.conf file
  • Railgun log files that detail the observed errors

Connection timeouts

The following Railgun log errors indicate a connection failure between the Railgun Listener and your origin web server:

connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout
    no response from origin (timeout) 0.0.0.0:80/example.com

Resolution

Contact your hosting provider for assistance to test for connectivity issues between your origin web server and your Railgun Listener. For example, a netcat command tests connectivity when run from the Railgun Listener to the origin web server’s SERVERIP and PORT (80 for HTTP or 443 for HTTPS):

nc -vz SERVERIP PORT

LAN timeout exceeded

The following Railgun Listener log error is generated if the origin web server does not send an HTTP response to the Railgun Listener within the 30 second default timeout:

  connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout

The time is adjusted by the lan.timeout parameter of the railgun.conf file.

Resolution

Either increase the lan.timeout limit in railgun.conf, or review the web server configuration. Contact your hosting provider to confirm if the origin web server is overloaded.

Connection refusals

The following errors appear in the Railgun logs when requests from the Railgun Listener are refused:

Error getting page: dial tcp 0.0.0.0:80:connection refused

Resolution

Allow the IP of your Railgun Listener at your origin web server’s firewall.

TLS/SSL related errors

The following errors appear in the Railgun logs if TLS connections fail:

connection failed 0.0.0.0:443/example.com: remote error: handshake failure
    connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443:connection refused
    connection failed 127.0.0.1:443/www.example.com: x509: certificate is valid for
    example.com, not www.example.com

Resolution

If TLS/SSL errors occur, check the following on the origin web server and ensure that:

  • Port 443 is open
  • An SSL certificate is presented by the origin web server
  • the SAN or Common Name of the origin web server’s SSL certificate contains the requested or target hostname
  • SSL is set to Full or Full (Strict) in the Overview tab of the Wingsoft SSL/TLS app

If your origin web server SSL certificate is self-signed, set validate.cert=0 in railgun.conf.


Error 530

HTTP error 530 is returned with an accompanying 1XXX error displayed. Search for the specific 1XXX error within the Wingsoft Help Center for troubleshooting information.


Related resources