RE: Receiving 502 errors when using Cloudflare in front of FusionAuth

This is due to non-ASCII characters in headers causing an issue in the FusionAuth parsing code. Cloudflare sends headers with non-ASCII characters (such as cf-region: São Paulo) which triggers this issue.

This is a java-http bug that was fixed in 2024, and released in FusionAuth version 1.51.2.

So, two options:

• upgrade to a version of FusionAuth 1.51.2 or newer. This is the recommended approach, but may require some work.
• as an interim workaround, you can disable the "Add visitor location headers" option from your CloudFlare console. This should not have any negative impact, since we do not inspect those headers.

We were using a FusionAuth cloud deployment directly but now want to use Cloudflare in front of it.

We are now seeing intermittent, infrequent 502 errors.

We see errors like this in the logs

2025-06-24 14:05:09.345 PM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing
java.lang.IllegalArgumentException: Not a valid Unicode code point: 0xFFFFFFC3 

How can we resolve this?

@sergey_smirnov Hmm, the 10 sec between the logs does lead me to similar speculation that it is being caused by the user. I would think they would be closer together if it was something the application was doing on its own (although I am not entirely ready to rule that out either).

That being said, it seems like just guessing unless you can get the application logs and trace the users page views for sure. Is that possible?

There is a setting in the Tenants for the Session timeout.
Tenants -> Edit -> OAuth tab -> Session timeout

Let me know if you are able to log the users page views.

@sergey_smirnov You won't find the web requests in the FA dashboard, but you can enable debugging for Oauth in the application and see if that gives you more details in the System -> Even Log.

@davidhaven1246 Have you checked out the documentation on using the basic registration form? Will enabling the Self-service registration for the application what you are after? If not, a little more detail on your flow and how you have implemented may help.

This post may help provide some clarity as well for an invitation flow. Keep in mind, this flow utilizes some paid features of FusionAuth, but you may be able to figure out some work arounds with the community edition.

This post talks about passing some parameters in a link that may help as well.

@sergey_smirnov, I see you submitted the FusionAuth log. I didn't approve the post because I thought there might be some info in there you don't want public. I cut some out and will paste it here:

That is interesting. Would it be possible to get the web server logs and see if there were actual multiple requests.

@sergey_smirnov can you tell us a little about how you have FusionAuth set up? Can you look at your server logs and make sure the page is not being called multiple times? Also, can you share the details of the log entries (be sure to redact private information)?

@ext_figuvini after reading your post again, I think I read it differently. The way the SSO logout works is that on logout, FusionAuth calls all the logout urls for each applications. It would seem that you are correct in that creating an application for each subdomain makes sense and would work. (You can create applications through the API so you should be able to automate this.) Can you try this for a few domains and confirm it works?

@ext_figuvini this is an interesting use case. I would think the way you have it configured would work. I would have to recreate you situation to test. Unfortunately it may be a while before I can get that done. I should be able to take a look next week. If anyone has experience with this, please feel free to chime in.

@eakpan Awesome, thanks for posting. This may end up helping others. Glad you are able to configure FusionAuth to work for you.