Fixing 525 and 520 errors from Cloudflare

I was getting 525 and 520 errors on a number of assets, mostly .svg files, not always the same ones.  So I thought I’d find out a bit more about what was going on and see what I could do to solve this.

Cloudflare describes a 525 as SSL handshake failed, and suggested looking at the certificate on my origin server.  Well it occurred to me that I don’t actually have a certificate on my (cheapo shared hosting) origin server.  And yes, Cloudflare crypto was set to “Full”.  So I scratched my head for a little while, wondering how this ever worked, and then decided to try changing it to “Flexible”, which seemed far more logical. And all was well, for about 2-3 mins.  Then I got the dreaded redirect loop!

I did a lot of digging around, as there are a number of suggestions worth trying, but these are the steps that worked for me (and the order can be quite important!)…

1) In Cloudflare, go to the “Crypto” section and set the SSL back to be “Full” (so that I could access the WordPress admin pages again)

1) Add the following lines to your “wp_config.php” file:

define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
  $_SERVER['HTTPS'] = 'on';

(The first line is telling the admin pages to always use HTTPS and the second part is picking up a header that Cloudflare uses to indicate that the forward connection is HTTPS, and therefore to switch it on – this will mean that the right cookies and everything are passed through in the right way)

2) In your admin pages, go to Settings > General and set the WordPress Address (URL) to start with “http://” – if you still can’t access the admin pages, you could instead add this line to your “wp_config.php” file:


3) Also in Settings > General, set the Site Address (URL) to start with “https://” – if you still can’t access the admin pages, you could instead add this line to your “wp_config.php” file:


4) In Cloudflare, go to the “Crypto” section and set the SSL to be “Flexible”

5) In Cloudflare, also in the “Crypto”section, set Always Use HTTPS to be “On” – this can alternatively be done with a page rule, if you don’t want it applied to your whole website (although it would be best if you did!)

After 2-3 mins again, the redirect loop sorted and everything was working, no more 525 errors.  However, the 520 errors were still there.

Cloudflare describes a 520 as Web server is returning an unknown error, which is suitably vague.  After reading quite a bit on the support forums about it and getting nowhere fast, I decided to raise a helpcall, which after a pretty rubbish canned response and a tweet from me, it was actually my web host that pointed me in the direction of the solution.

They removed the Apache .htaccess file for that folder and told me it worked, so it must be a problem with that file.  They weren’t able (or willing) to help any further.  However, upon diving in I found all kinds of stuff in there from WP Rocket and other plugins, and by removing chunks at a time, I discovered that it was the GZIP (or DEFLATE) settings that seemed to be causing the problem.  Removing these has resolved the 520 errors.

I have updated the Cloudflare support ticket (and since the tweet from me I have had a much better responses) and they can’t see any reason why removing these settings have resolved the problem, and suggested steps to investigate further.  I plan to do this and see how things unfold – if I get a more definitive answer, I’ll update the post later.

These are the steps that worked for me, but as they are based on how my origin server was responding to Cloudflare requests, your mileage may vary, depending on your own origin server provider/configuration.