Whitelist Cloudflare IP address for Lightsail instance

0

We are running a Lightsail instance with Moodle with the domain set up using Cloudflare, with the domain redirected to the static IP address assigned to our Lightsail instance. We are having an issue with the Cloudflare IP addresses being blocked. We have added the IP address ranges under Networking for our Lightsail by editing the HTTP firewall rules for the IPv4 Firewall. However, when we try to access the website, Cloudflare can't connect. Have we done this correctly, or not, or is there another step in the process we missed?

Quintin
asked 8 months ago395 views
2 Answers
0
  1. Set up as per these instructions: https://docs.aws.amazon.com/en_us/lightsail/latest/userguide/amazon-lightsail-editing-firewall-rules.html
  2. It as worked fine until a few hours ago.
  3. See Point 2 above.
  4. Proxying is enabled on Cloudflare to provide SSL certificate and handle https.
  5. Cloudflare is returning a 522: Connection timed out error.
  6. Need to confirm this.
  7. Need to confirm this.
  8. There were no issues accessing the site using the allocated Public IP address prior to pointing the domain setup in Cloudflare to point to the Public IP address.
  9. I followed the instructions listed in Step 1, so I would assume it is set up correctly.
Quintin
answered 8 months ago
  • The 522 error from Cloudflare, indicates a connectivity problem between Cloudflare's servers and your Lightsail instance. This error typically means that Cloudflare is unable to establish a TCP connection to your server.

  • Here are a series of steps and additional considerations to troubleshoot and potentially resolve this issue:

    • Double-check that all Cloudflare IP ranges are correctly entered in your Lightsail firewall rules. Also this.
    • Confirm that the DNS settings in Cloudflare correctly point to your Lightsail instance's static IP.
    • Verify that your server is listening on ports 80 and 443 and that these ports are open in your Lightsail firewall. Cloudflare's proxy service works over these standard HTTP/HTTPS ports.
  • We are not getting a 521 error from Cloudflare. We have double-checked the IP addresses for Cloudflare are correct. We've also removed the IP restrictions in an effort to eliminate this as the issue. The DNS in Cloudflare is correctly pointing to our instance's Static IP address. HTTP (Port 80) and HTTPS (Port 443) are both set to An IPv4 address (no IP restrictions)

0

Based on the situation you've described, it seems like you're encountering connectivity issues between Cloudflare and your AWS Lightsail instance hosting Moodle. Here are a series of questions you could ask to debug this issue further:

  1. Have you confirmed that the IP address ranges for Cloudflare have been correctly updated in the AWS Lightsail firewall rules? This ensures that you're allowing traffic from all Cloudflare IPs.

  2. Did you check the Cloudflare DNS settings to ensure that the DNS records are correctly pointing to the Lightsail instance's IP address? Sometimes, the issue might be due to incorrect DNS configurations.

  3. Are there any security groups or network ACLs in place that might be blocking inbound or outbound connections to and from the Cloudflare IP addresses, beyond the Lightsail firewall? Although Lightsail instances are somewhat insulated, checking for any additional layers of network security you might have configured is essential.

  4. Have you enabled Cloudflare's proxy status (orange cloud) for the DNS records pointing to your Lightsail instance, or are they set to DNS only (grey cloud)? The proxy status can affect how traffic is routed through Cloudflare.

  5. Is there any specific error message provided by Cloudflare when trying to access the website, such as a 521, 522, or another HTTP error code? These error codes can provide more insight into the nature of the connectivity issue.

  6. Have you looked into the Cloudflare Firewall event log to see if it provides any clues about the traffic being blocked or challenged? This can help identify if Cloudflare itself is blocking requests to your Lightsail instance.

  7. Is SSL/TLS configuration set up correctly on both Cloudflare and your Lightsail instance? Mismatches or misconfigurations in SSL modes (e.g., Flexible, Full, Strict) can cause connection issues.

  8. Have you tried temporarily pausing Cloudflare on your site to see if direct access to your Lightsail IP works? This can help determine if the issue is with Cloudflare or with the server setup.

  9. Did you ensure that your Lightsail instance is correctly configured to serve traffic over the ports that Cloudflare proxies (HTTP/HTTPS - ports 80 and 443)? Sometimes, the server might be configured to listen on non-standard ports.

profile picture
EXPERT
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions