How do I troubleshoot 504 errors in CloudFront?

4 minute read
0

I use an Amazon CloudFront distribution to serve content. However, viewers receive a 504 error when they try to access the content through a web browser.

Resolution

CloudFront returns two types of 504 errors:

  • Gateway Time-out errors occur when the error is returned by the origin, and then it's passed through CloudFront to the viewer.
  • The request could not be satisfied errors occur when the origin didn't respond to CloudFront in the allotted time frame and the request expired.

504: "Gateway Time-out" error

To troubleshoot a 504 error from the origin server, take the following actions:

  • Check the origin server logs to identify specific errors or issues.
  • Make sure that the server has sufficient resources (CPU, memory, disk space) to handle incoming requests.
  • Adjust the server's timeout settings to allow more time to process requests. Also, review and optimize database queries.
  • Check for network issues or bandwidth limitations on your origin server. Also, verify whether your Internet Service Provider (ISP) is experiencing an outage. Contact your ISP for assistance and updates.
  • If your application relies on third-party services or APIs, then reach out to the third party support team. Check if there are service outages or issues.
  • Set up long-running connections on your origin server. These persistent connections help reduce latency when connections must be re-established for subsequent requests.
  • If your origin is an Application Load Balancer, then troubleshoot the Application Load Balancer 504 error.

For more information, see HTTP 504 status code (Gateway Timeout).

504: "The request could not be satisfied" error

Verify that the origin server allows connections from CloudFront

Make sure that the origin server allows inbound traffic from CloudFront on port 443, 80, or on a custom port. For Application Load Balancer or Amazon Elastic Compute Cloud (Amazon EC2) origins, use the CloudFront managed prefix list to allow inbound traffic to security groups. The security groups must also allow the required ports.

Check whether your origin server is accessible over the internet

If CloudFront can't access your origin over the internet, you receive the 504 error. For more information on HTTP and HTTPS configuration, see Make your custom origin server accessible on the internet.

If you use a firewall, then verify that the firewall allows traffic for port 443 and 80

If you use Red Hat Linux, then to view existing firewall rules, run the following command:

$ sudo firewall-cmd --permanent --zone=public --list-ports

To allow port 80 and port 443, run the following command:

$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp      
$ sudo firewall-cmd --permanent --zone=public --add-port=443/tcp

If you use Ubuntu Linux, then to view existing firewall rules, run the following command:

$ sudo ufw status verbose

To allow port 80 and port 443, run the following command:

$ sudo ufw allow 80
$ sudo ufw allow 443

If you use a Windows server, then see Add or edit firewall rule on the Microsoft website.

Check if iptables rules are blocking the request

To view the existing iptables rules, run the following command:

sudo iptables -L -v -n

To allow port 80 and port 443, run the following command:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Check the latency from the origin server to CloudFront

To check the latency from the origin to CloudFront, turn on the Origin latency metric.

Or, to measure the responsiveness of your web application, run the following command:

curl -w "DNS Lookup Time: %{time_namelookup} \nConnect time: %{time_connect} \nTLS Setup: %{time_appconnect} \nRedirect Time: %{time_redirect} \nTime to first byte: %{time_starttransfer} \nTotal time: %{time_total} \n" -o /dev/null https://www.example.com/yourobject

Note: Replace https://www.example.com/yourobject to your webpage URL.

The output looks similar to the following example:

DNS Lookup Time: 0.212319   Connect time: 0.371254   
TLS Setup: 0.544175  
Redirect Time: 0.000000   
Time to first byte: 0.703863   
Total time: 0.703994

Adjust the Origin timeout value in CloudFront

By default, CloudFront waits up to 30 seconds for a response from the origin (three connection attempts of 10 seconds each). You can adjust the origin response timeout for your distribution.

Related information

Limit access to your origins using the AWS managed prefix list for Amazon CloudFront

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago