Updated on 2024-11-05 GMT+08:00

Why Am I Seeing Error Code 523?

If a request goes through WAF over four times, WAF will block the request and return error code 523 to avoid endless loops. If error code 523 is returned for your website requests, check how many WAF instances you are using.

The following figure shows the traffic flow that may cause error code 523.

Cause 1: A website is connected to more than four WAF instances.

Error code 523 will return if a website has been connected to different types of WAF instances, such as instances of cloud CNAME, dedicated, and cloud load balancer access modes, more than four times.

Solution

Route website traffic to bypass redundant WAF instances.

  1. Log in to the WAF management console.
  2. In the navigation pane on the left, choose Website Settings.
  3. Locate the website for which error code 523 is returned, retain one configuration, and delete the website from redundant WAF instances. For details, see Deleting a Website from WAF.

    To prevent service interruptions due to such deletions, perform the following operations before removing a website from WAF:

    Cloud mode: Go to your DNS provider and resolve your domain name to the IP address of the origin server. Otherwise, the traffic to your domain name cannot be routed to the origin server.

    Dedicated mode: Remove redundant WAF instances from the backend server group of the load balancer so that no requests are forwarding to those WAF instances. For details, see Changing a Backend Server Group.

Cause 2: A Third-party Interface That Uses Huawei Cloud WAF Was Called

When a request is forwarded to the third-party API, header and cookie are forwarded without being changed. Only the host is modified. This makes WAF count the requests without clearing historical records.

Solution

Modify the header field in the reverse proxy request. The operations are as follows:

This method can be used only when Nginx is deployed after WAF on the user traffic link.

  1. Use proxy_set_header to redefine the request header sent to the proxy server. Run the following command to open the Nginx configuration file:

    (The following command is used when Nginx is installed in the /opt/nginx/ directory. Change the directory based on your situation.)

    vi /opt/nginx/conf/nginx.conf

  2. Add proxy_set_header X-CloudWAF-Traffic-Tag 0 to the Nginx configuration file. The following is an example:

    location  ^~/test/ {
        ......
        proxy_set_header Host       $proxy_host;
        proxy_set_header X-CloudWAF-Traffic-Tag 0;
        ......
        proxy_pass http://x.x.x.x;
    }

Cause 3: Origin Server IP address Was Mistakenly Set to an IP Address of WAF or A Proxy in Front of WAF

If the origin server address is mistakenly set to the back-to-source IP address of WAF or an IP address of the proxy in front of WAF, the website requests go to an endless loop and error code 523 is returned.

Solution

Check the origin server configurations and enter a correct origin server address. For details, see Editing Server Information.

Figure 1 Changing the origin server address