How do I troubleshoot 504 errors in CloudFront?

Last updated: 2022-06-02

I'm using an Amazon CloudFront distribution to serve content. However, viewers receive a 504 error when they try to access the content through a web browser. How can I resolve these errors?

Short description

CloudFront returns two types of 504 errors:

  • 504: "Gateway Time-out" errors occur when the error is returned by the origin, and then passed through CloudFront to the viewer.
  • 504: "The request could not be satisfied" errors occur when the origin didn't respond to CloudFront in the allotted time frame and so the request expired.

Based on the error you receive, see the related resolution section.

Resolution

504: "Gateway Time-out" error

Verify that the correct ports are open on your security group.

Make sure that the origin server allows inbound traffic from CloudFront, typically on port 443 or 80.

If your origin uses Elastic Load Balancing, then review the ELB security groups. Make sure that the security groups allow inbound traffic from CloudFront.

Verify that the origin server firewall allows connections from CloudFront

Depending on your OS, confirm that the firewall allows traffic for port 443 and 80.

If you're using Redhat Linux View, verify that your firewall rules match the following settings.

Firewall Rules:

$ sudo firewall-cmd --permanent --zone=public --list-ports

Permanently Add Rules:

$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp       
$ sudo firewall-cmd --permanent --zone=public --add-port=443/tcp

If you're using Ubuntu Linux, verify that your firewall rules match the following settings.

Ubuntu Linux View Firewall Rules:

$ sudo ufw status verbose

Permanently Add Rules:

$ sudo ufw allow 80
$ sudo ufw allow 443

If you use Windows Firewall on a Windows server, then see Add or Edit Firewall Rule in the Microsoft documentation.

Make sure that your custom server is accessible over the internet

If CloudFront is unable to access your origin over the internet, then CloudFront returns a 504 error. To check that internet traffic can connect to your origin, confirm that your HTTP and HTTPS rules match the following settings.

For HTTPS Traffic:

nc -zv OriginDomainName/IP_Address 443
telnet OriginDomainName/IP_Address 443
For HTTP Traffic:
nc -zv OriginDomainName 80
telnet OriginDomainName 80

504: "The request could not be satisfied" error

Measure the typical and high-load latency of your web application

Use the following command to measure the responsiveness of your web application:

curl -w "DNS Lookup Time: %{time_namelookup} \nConnect time: %{time_connect} \nTLS Setup: %{time_appconnect} \nRedirect Time: %{time_redirect} \nTime to first byte: %{time_starttransfer} \nTotal time: %{time_total} \n" -o /dev/null https://www.example.com/yourobject

Note: For https://www.example.com/yourobject, enter the URL of the web application that you're testing.

The output looks similar to the following:

DNS Lookup Time: 0.212319   
Connect time: 0.371254   
TLS Setup: 0.544175  
Redirect Time: 0.000000   
Time to first byte: 0.703863   
Total time: 0.703994

Depending on the location of the request, troubleshoot the step that shows high latency.

Add resources or tune servers and databases

Make sure that your server has enough CPU, memory, and disk space to handle viewer requests.

Set up persistent connections on your backend server. These connections help latency when connections must be re-established for subsequent requests.

Adjust the CloudFront timeout value

If the previous troubleshooting steps didn't resolve the HTTP 504 errors, then update the time that is specified in your distribution for origin response timeout.


Did this article help?


Do you need billing or technical support?