I use an Amazon CloudFront distribution to serve content. However, viewers receive a 504 error when they try to access the content through a web browser.
Resolution
CloudFront returns two types of 504 errors:
- Gateway Time-out errors occur when the error is returned by the origin, and then it's passed through CloudFront to the viewer.
- The request could not be satisfied errors occur when the origin didn't respond to CloudFront in the allotted time frame and the request expired.
504: "Gateway Time-out" error
To troubleshoot a 504 error from the origin server, take the following actions:
- Check the origin server logs to identify specific errors or issues.
- Make sure that the server has sufficient resources (CPU, memory, disk space) to handle incoming requests.
- Adjust the server's timeout settings to allow more time to process requests. Also, review and optimize database queries.
- Check for network issues or bandwidth limitations on your origin server. Also, verify whether your Internet Service Provider (ISP) is experiencing an outage. Contact your ISP for assistance and updates.
- If your application relies on third-party services or APIs, then reach out to the third party support team. Check if there are service outages or issues.
- Set up long-running connections on your origin server. These persistent connections help reduce latency when connections must be re-established for subsequent requests.
- If your origin is an Application Load Balancer, then troubleshoot the Application Load Balancer 504 error.
For more information, see HTTP 504 status code (Gateway Timeout).
504: "The request could not be satisfied" error
Verify that the origin server allows connections from CloudFront
Make sure that the origin server allows inbound traffic from CloudFront on port 443, 80, or on a custom port. For Application Load Balancer or Amazon Elastic Compute Cloud (Amazon EC2) origins, use the CloudFront managed prefix list to allow inbound traffic to security groups. The security groups must also allow the required ports.
Check whether your origin server is accessible over the internet
If CloudFront can't access your origin over the internet, you receive the 504 error. For more information on HTTP and HTTPS configuration, see Make your custom origin server accessible on the internet.
If you use a firewall, then verify that the firewall allows traffic for port 443 and 80
If you use Red Hat Linux, then to view existing firewall rules, run the following command:
$ sudo firewall-cmd --permanent --zone=public --list-ports
To allow port 80 and port 443, run the following command:
$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
$ sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
If you use Ubuntu Linux, then to view existing firewall rules, run the following command:
$ sudo ufw status verbose
To allow port 80 and port 443, run the following command:
$ sudo ufw allow 80
$ sudo ufw allow 443
If you use a Windows server, then see Add or edit firewall rule on the Microsoft website.
Check if iptables rules are blocking the request
To view the existing iptables rules, run the following command:
sudo iptables -L -v -n
To allow port 80 and port 443, run the following command:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Check the latency from the origin server to CloudFront
To check the latency from the origin to CloudFront, turn on the Origin latency metric.
Or, to measure the responsiveness of your web application, run the following command:
curl -w "DNS Lookup Time: %{time_namelookup} \nConnect time: %{time_connect} \nTLS Setup: %{time_appconnect} \nRedirect Time: %{time_redirect} \nTime to first byte: %{time_starttransfer} \nTotal time: %{time_total} \n" -o /dev/null https://www.example.com/yourobject
Note: Replace https://www.example.com/yourobject to your webpage URL.
The output looks similar to the following example:
DNS Lookup Time: 0.212319 Connect time: 0.371254
TLS Setup: 0.544175
Redirect Time: 0.000000
Time to first byte: 0.703863
Total time: 0.703994
Adjust the Origin timeout value in CloudFront
By default, CloudFront waits up to 30 seconds for a response from the origin (three connection attempts of 10 seconds each). You can adjust the origin response timeout for your distribution.
Related information
Limit access to your origins using the AWS managed prefix list for Amazon CloudFront