cloudflared: ERR failed to connect to origin error="websocket: bad handshake"

Server/Client: cloudflared version 2021.2.5 (built 2021-02-23-1951 UTC) (same issue with Windows and RPM clients) DNS records (Proxied) created through “cloudflared tunnel route dns” or running adhoc tunnel.

Error (with multiple subdomains): 2021-02-24T21:42:37Z ERR failed to connect to origin error="**websocket: bad handshake"** originURL=https://test.dblngtvnfnt.eu

With debug log level on client side getting interesting redirect to HTTP (Location: http://test.dblngtvnfnt.eu): 2021-02-24T21:42:37Z DBG Websocket response: "HTTP/1.1 301 Moved Permanently\r\nTransfer-Encoding: chunked\r\nCache-Control: max-age=3600\r\nCf-Ray: 626c5b80de6032aa-CDG\r\nCf-Request-Id: 0877978484000032aa01148000000001\r\nConnection: keep-alive\r\nDate: Wed, 24 Feb 2021 21:42:36 GMT\r\nExpect-Ct: max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"\r\nExpires: Wed, 24 Feb 2021 22:42:36 GMT\r\nLocation: http://test.dblngtvnfnt.eu/\r\nNel: {\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nReport-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report?s=N1qzu5FBgOybuOx4tfcnVJd3jnq5hrCJTngvCwPCQNPwOz%2By8eB18i20FdmCVVE9rbCD3IXNs42g7PHCYF2fg%2Fg4zdBdbbnUt0BBxuVPZVD9cT5S\"}],\"max_age\":604800,\"group\":\"cf-nel\"}\r\nServer: cloudflare\r\n\r\n0\r\n\r\n"

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 41 (14 by maintainers)

Most upvoted comments

I had the same problem:

2021-11-09T12:02:09Z ERR failed to connect to origin error=“websocket: bad handshake” originURL=

For me this happened after I set the ‘Definitely automated’ of ‘Configure Super Bot Fight Mode’ to Challenge (this is under Firewall/Bots on the Cloudflare dashboard). Changing the setting back to Allow resolved the issue.

As the description of this setting is ‘Definitely automated traffic typically consists of bad bots. Select an action for this traffic.’, I was surprised that it impacted Tunnels.

+5
mark-mybaggage on Nov 11, 2021

I too had this problem, and the solution was to turn off the “Enable Binding Cookie” in the Application settings in Teams. So much wasted time, please add this to the documentation. Credit for the solution goes here: (https://community.cloudflare.com/t/ssh-over-cloudflare-tunnel-always-results-in-failed-to-connect-to-origin-error-websocket-bad-handshake-unless-i-use-the-web-terminal/280924/4)

+5
eschulma on Nov 9, 2021

Finally, found an issue… this definitely has to be added to documentation of Argo Tunnel/CF Access/CF for Teams - impact of SSL/TLS settings when Universal SSL is enabled/disabled.

On my test account Universal SSL was enabled, but SSL/TLS encryption mode was OFF. If Universal SSL is enabled, SSL/TLS encryption mode must be Flexible/Full/Full(strict) - it solves ““websocket: bad handshake”” issue for me.

@nmldiegues thanks for assistance.

+5
baubukas on Mar 2, 2021

I ran into the “remote error: tls: handshake failure” using the “a.b.domain.tld” pattern and it ended up being a bad certificate. Cloudflare gives you a free edge cert for “*.domain.tld” but that doesn’t cover multi-level subdomains. After adding an Advanced Certificate for “*.b.domain.tld” it worked perfectly!

Maybe the DNS dashboard could show a warning for any records with proxy enabled that don’t have a valid edge cert? I’ve had other unrelated issues caused by the same thing in the past and it’s always very hard to debug.

+3
a73x7 on Oct 20, 2021

Finally, found [the?] issue… this definitely has to be added to documentation of Argo Tunnel/CF Access/CF for Teams - impact of SSL/TLS settings when Universal SSL is enabled/disabled.

On my test account Universal SSL was enabled, but SSL/TLS encryption mode was OFF. If Universal SSL is enabled, SSL/TLS encryption mode must be Flexible/Full/Full(strict) - it solves ““websocket: bad handshake”” issue for me.

@nmldiegues thanks for assistance.

Unfortunately, not. I’m having Strict SSL (and tried others as well), running the same version of cloudflared on both client and the server and facing this issue… Let me know how I can I help to troubleshoot/isolate the issue. Thanks! Running a single tunnel, multiple ingress rules, with other rules working at the time when SSH from a native-client is failing.

Edit: My SSH domain is like: sub.domain.cc.cc.ext. Wondering if this could cause issues with cloudflared or with the service, with the below error: image

+3
FR46M3N7-P4R71CL3 on Apr 17, 2021

I was able to resolve the web sockets error but enabling web sockets under the Network section. Sigh.

+2
m-torin on May 28, 2021 
2021-05-23T19:17:00Z ERR failed to connect to origin error="remote error: tls: handshake failure" originURL=https://a.b.c.d
remote error: tls: handshake failure
kex_exchange_identification: Connection closed by remote host

Got similar problems and errors here. I found that if you have too many levels on your subdomain then SSH rules doesn’t work correctly in cloudflared. Above you see errors when I had sub domain a.b.c.d which doesn’t work, but if I change it to b.c.d it starts working.

+2
7ojo on May 23, 2021

On my Windows client, I had to remove the host from known_hosts to get it working again.

+1
potatoqualitee on Feb 2, 2022
Read more comments on GitHub
← cloudflared: Crash after updating to 2021.3.1
cloudflared: Error exec docker image →