gh-daymade-claude-code-skills-cloudflare-troubleshooting/skills/cloudflare-troubleshooting/references/common_issues.md

Common Cloudflare Issues and Solutions

Redirect Loop Errors (ERR_TOO_MANY_REDIRECTS)

Symptom

Browser displays "This page isn't working" or "ERR_TOO_MANY_REDIRECTS"

Common Causes

1. SSL Mode Mismatch (Most Common)

Scenario: Origin server enforces HTTPS, but Cloudflare SSL mode is "Flexible"

Explanation:

• Browser → HTTPS → Cloudflare
• Cloudflare → HTTP → Origin Server (because of Flexible mode)
• Origin Server → Redirects to HTTPS (because it enforces HTTPS)
• Infinite loop

Affected Platforms:

• GitHub Pages
• Netlify
• Vercel
• Heroku
• Most modern hosting platforms

Solution: Change SSL mode from "Flexible" to "Full" or "Full (strict)"

# Diagnose
python scripts/check_cloudflare_config.py example.com user@example.com API_KEY

# Fix
python scripts/fix_ssl_mode.py example.com user@example.com API_KEY full --purge-cache

2. Conflicting Page Rules

Scenario: Multiple redirect rules that conflict with each other

Solution:

• Review Page Rules in Cloudflare Dashboard
• Remove conflicting "Always Use HTTPS" or "Forwarding URL" rules
• Ensure redirect rules don't create loops

3. Origin Server Misconfiguration

Scenario: Origin server has incorrect redirect rules in .htaccess or nginx config

Solution:

• Check origin server configuration
• Verify redirects don't conflict with Cloudflare settings
• Test direct origin access (bypass Cloudflare)

Resolution Steps

1. Check SSL mode:

   curl -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/ssl" \
     -H "X-Auth-Email: email" \
     -H "X-Auth-Key: key"
   

2. Fix SSL mode if needed:

   python scripts/fix_ssl_mode.py domain.com email API_KEY full
   

3. Purge cache:

   curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/purge_cache" \
     -H "X-Auth-Email: email" \
     -H "X-Auth-Key: key" \
     -d '{"purge_everything":true}'
   

4. Clear browser cache or use incognito mode

---

DNS Resolution Issues

Symptom

Website not accessible or showing old content

Common Causes

1. DNS Not Propagated

Solution: Wait 24-48 hours for full DNS propagation

Check propagation:

dig domain.com
nslookup domain.com

2. Incorrect DNS Records

Solution:

• Verify A/AAAA/CNAME records point to correct IPs
• For GitHub Pages: Use A records to GitHub IPs or CNAME to username.github.io
• Ensure "Proxied" status matches requirements

3. DNSSEC Issues

Solution:

• Check DNSSEC status in Cloudflare Dashboard
• Verify DS records at registrar match Cloudflare's DNSSEC settings

---

SSL/TLS Certificate Errors

Symptom

"Your connection is not private" or "NET::ERR_CERT_COMMON_NAME_INVALID"

Common Causes

1. Universal SSL Certificate Provisioning Delay

Solution: Wait 15-30 minutes for Cloudflare to provision certificate

2. CAA Records Blocking Certificate Issuance

Solution:

• Check CAA records
• Ensure CAA allows Let's Encrypt: letsencrypt.org or Cloudflare CAs

3. Full (Strict) Mode with Invalid Origin Certificate

Solution:

• Use "Full" mode instead of "Full (strict)" if origin cert is self-signed
• Or install valid certificate on origin server

---

Performance Issues

Symptom

Slow page load times despite using Cloudflare

Common Causes

1. Cache Not Configured

Solution:

• Enable Auto Minify (JS, CSS, HTML)
• Set up Page Rules for cache levels
• Configure Browser Cache TTL

2. Large Assets Not Optimized

Solution:

• Enable Cloudflare Image Optimization
• Use WebP format
• Implement lazy loading

3. Too Many Uncached Requests

Solution:

• Review cache analytics
• Add cache rules for static assets
• Use Cloudflare Workers for dynamic caching

---

Access Denied / 403 Errors

Symptom

"Error 1020: Access Denied" or generic 403

Common Causes

1. Firewall Rules Blocking Traffic

Solution:

• Review Firewall Rules in Security → WAF
• Check IP Access Rules
• Verify Managed Rulesets aren't too strict

2. Rate Limiting

Solution:

• Check Rate Limiting rules
• Adjust thresholds if legitimate traffic is blocked

3. Browser Integrity Check

Solution:

• Disable "Browser Integrity Check" if needed
• Found in: Security → Settings

---

Origin Server Errors (502/503/504)

Symptom

"502 Bad Gateway" or "504 Gateway Timeout"

Common Causes

1. Origin Server Down

Solution:

• Verify origin server is running
• Check origin server logs
• Test direct IP access

2. Origin SSL Certificate Invalid (Full Strict mode)

Solution:

• Switch to "Full" mode temporarily
• Fix origin certificate
• Or use Cloudflare Origin Certificate

3. Timeout Issues

Solution:

• Increase origin server timeout settings
• Optimize slow queries/code
• Consider using Cloudflare Workers for timeouts

---

Page Rules Not Working

Symptom

Page Rules don't seem to apply

Common Causes

1. Rule Order

Solution: Page Rules are executed top-to-bottom; reorder if needed

2. Pattern Matching Issues

Solution:

• Use * for wildcards correctly
• Test patterns: example.com/* vs *example.com/*

3. Cache Already Set

Solution: Purge cache after creating/modifying Page Rules

---

Troubleshooting Workflow

Step 1: Identify the Issue

• Collect error messages and codes
• Note when issue started
• Check if issue is intermittent or consistent

Step 2: Check Cloudflare Status

• Visit https://www.cloudflarestatus.com
• Verify no ongoing incidents

Step 3: Run Diagnostics

python scripts/check_cloudflare_config.py domain.com email API_KEY

Step 4: Review Recent Changes

• Check Cloudflare Audit Log
• Review recent DNS/SSL/Page Rule changes

Step 5: Test Bypass

• Temporarily set DNS to "DNS Only" (grey cloud)
• Test if issue persists without Cloudflare

Step 6: Apply Fixes

• Implement specific solutions based on diagnosis
• Purge cache after changes
• Test in incognito/private mode

Step 7: Monitor

• Verify fix works consistently
• Check analytics for any anomalies
• Document solution for future reference