Question

website and droplet is inaccessible via https and ssh port while droplet is still running

My website is hosted at digitalocean droplet. I use ssh to access the VM. Website uses Cloudflare for CDN. I notice the website is inaccessible via web browser (522 error) and denied new ssh sessions few days ago. I have another PC with an existing ssh session to the droplet. (The PC never shutdown for troubleshooting purposes) I had to stop the firewall (# systemctl stop firewalld) then the website is up and running, and able to access ssh from new session.

After web and ssh is up, I turn on the firewall (# systemctl start firewalld) but the disconnection happenes again after few hours, I had to disable the firewall and it will work again. This just started one month ago. Please help on this.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
December 7, 2023

Heya, @dannyaung

On top of what’s already mentioned there might be a limit to the max concurrent connections to the server, also the already established connections are likely to not be affected by the firewall change until the ssh daemon is restarted.

Hope that this helps!

KFSys
Site Moderator
Site Moderator badge
December 7, 2023

Heya @dannyaung,

This means the issue is with your firewall. Additionally, the 522 error typically indicates that Cloudflare is unable to establish a TCP connection to your server, which can be caused by a firewall blocking the necessary ports.

When firewalld is running, you should check the existing firewall rules to ensure they’re correctly set up to allow HTTP/HTTPS traffic (ports 80 and 443) and SSH traffic (port 22 by default).

sudo firewall-cmd --list-all
  • Ensure that the rules allow traffic from Cloudflare’s IP ranges. Cloudflare publishes its IP ranges, and you need to allow these IPs to communicate with your server or just allow ports 80 and 443 by default. This list is available on the Cloudflare website. You’ll need to add rules to firewalld to allow traffic from these IPs.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more