Error 521 is a Cloudflare-specific error message (like error 520) that appears when your WordPress site’s server refuses a connection with Cloudflare.
In this post, you’ll learn:
- More about what the Error 521 message is
- What causes the Error 521 message
- How to fix Error 521 for Cloudflare and WordPress
What is Error 521 Web Server is Down?
As you learned above, the Error 521 message is an error message that’s specific to Cloudflare.
Essentially, it means that your web browser was able to successfully connect to Cloudflare, but Cloudflare was not able to connect to the origin web server – AKA your WordPress site’s server.
Specifically, Cloudflare tried to connect to your WordPress site’s server but received a connection refused error in response.
Because Cloudflare cannot connect to your site, it’s unable to display your site to visitors and shows the Error 521 message instead:
What Causes the Error 521 Message?
Typically, the Error 521 message is caused by one of two situations:
First, your WordPress site’s server may be down. Even if everything else is configured properly, if your WordPress site’s server is offline, Cloudflare simply won’t be able to connect.
Second, your web server might be running fine but blocking Cloudflare’s requests for some reason. Because of how Cloudflare works, some server-side security solutions might inadvertently block Cloudflare’s IP addresses.
Because Cloudflare is a reverse proxy, all of the traffic coming to your origin server will appear as if it’s coming from a small range of Cloudflare IPs (rather than each individual visitor’s unique IP address). As such, some security solutions will view high traffic from a limited number of IP addresses as an attack and block them.
When that happens, Cloudflare won’t be able to connect and will display the Error 521 message instead.
How to Fix Error 521 for Cloudflare and WordPress
Now that you know what’s happening, let’s dig into how to fix Error 521 in WordPress.
Step 1: Test if the Origin Server is Online
Before going any further, you’ll want to make sure that your WordPress site’s server is online and functioning normally. If it’s not, there’s no sense digging into further troubleshooting steps.
To test this, you can run a cURL command. If you’re on Mac or Linux, you can run this right from Terminal.
Windows doesn’t have cURL installed by default and, while you can install it, a simpler way is to use KeyCDN’s online HTTP Header Check tool.
All you do is plug in http://1.2.3.4, where 1.2.3.4 is the actual IP address of your server.
If you host at Kinsta, you can find your server IP address in the Sites tab:
Or, you can also take it from the A record for your domain in the DNS area of the Cloudflare web dashboard.
If your server is up, you should see an HTTP 200 response. Or, if you host at Kinsta, you’ll see 404 Not Found, which also means the web server is up (there’s just no page associated with that IP):
If there’s a problem, you’ll see something like Host Not Found or Failed to connect:
If there’s a problem with your server and you’re not sure what’s going on, reach out to your host’s support (you can access Kinsta support from anywhere in your dashboard via the Intercom widget).
Step 2: Whitelist all Cloudflare IP ranges in your server’s firewall
If your WordPress site’s server is functioning normally but you still see the Error 521 message when you try to access your site, the next step is to whitelist all of Cloudflare’s IP ranges to make sure that your server isn’t blocking them.
Here’s a full list of Cloudflare’s IP ranges.
You’ll want to make sure you aren’t blocking these IP addresses in .htaccess, iptables, or your firewall. And you’ll also want to make sure that your hosting provider isn’t rate limiting or blocking IP requests from Cloudflare’s IP addresses.
If you’re not sure how to do this, reach out to your host’s support. At Kinsta, these IP ranges should already be whitelisted.
Step 3: Consider more specific issues
Finally, here are some more specific technical steps you can take, depending on your server’s configuration.
1) If you just started using Cloudflare’s HTTPS, your origin server might not be configured to allow Cloudflare’s IP addresses to access port 443. If you can’t configure your firewall to allow this, try using Flexible SSL instead of Full SSL at Cloudflare.
2) Make sure you’re using the most recent versions of Bad Behavior or mod_security, if applicable.
3) If you’re using the mod_antiloris or mod_reqtimeout Apache modules, disable and unload those modules.
Conclusion
If you host at Kinsta and are still experiencing the 521 Error after implementing these tweaks, our support will be able to help – just reach out through the Intercom chat widget in your Kinsta dashboard.
Suggested reading: How to Set up Cloudflare APO for WordPress and How to Fix the “SSL Handshake Failed” Error (5 Methods).
Ошибки 520, 521, 522, 524 связаны с проблемами в работе сервиса CloudFlare.
CloudFlare — сервис для перенаправления трафика на сайт с помощью облачного прокси-сервера, который обеспечивает дополнительную защиту от DDoS-атак и ускоряет загрузку вашего сайта.
Ошибка 520 Unknown Error
Что означает ошибка 520? Система CloudFlare выдает 520 ошибку, если не может обработать ответ от веб-сервера, на котором расположен сайт:
Причины появления ошибки:
- сброс соединения (после успешного запроса сервер разорвал соединение);
- заголовок запроса превышает ограничение размера заголовка Cloudflare (более 8 КБ). Если у вас много файлов cookie или они очень большие, это может привести к увеличению размера заголовков. Так как у Cloudflare есть ограничение на размер заголовка в 8 КБ, он не может обработать длинный заголовок;
- пустой ответ от сервера. Это происходит, когда DNS домена указывают на неправильный сервер.
- некорректный ответ от сервера;
- система безопасности блокирует запросы. Укажите IP-адреса Cloudflare в белом списке, чтобы система не блокировала запросы.
Способы устранения ошибки:
- Отключить CloudFlare. Так вы сможете понять, где находится ошибка (на сервере или в CloudFlare).
- Удалить плагины. Для плагинов иногда требуется много файлов cookies. Если на сайте много плагинов, это может повлиять на размер заголовков. Они могут быть слишком большими по размеру, и Cloudflare не справится с ними. Чтобы исправить ошибку, отключите плагины один за другим. Если ошибка пропадёт, удалите некоторые из плагинов.
- Проверьте настройки DNS в CloudFlare. Убедитесь, что запись A указывает на правильный IP-адрес.
Подробные рекомендации по исправлению ошибки 520 даны в справке CloudFlare.
Ошибка 521 Web Server Is Down
Код ошибки 521 возникает, когда веб-сервер обрывает соединение с CloudFlare:
Это может произойти в двух случаях:
- сервер не отвечает или недоступен. Необходимо проверить работоспособность сервера;
- веб-сервер блокирует запросы CloudFlare. Поскольку CloudFlare работает как обратный прокси-сервер, все запросы к серверам поступают от IP-адресов CloudFlare. Иногда система безопасности хостинга принимает постоянные подключения с одних и тех же IP-адресов за DDoS-атаку. В результате на IP-адреса CloudFlare накладывается блокировка/ограничения по скорости.
Диапазон IP-адресов CloudFlare вы можете увидеть по ссылке.
Рекомендации по исправлению ошибки 521 даны в справке CloudFlare.
Ошибка 522 Connection timed out
Ошибка 522 возникает, если превышено время ожидания ответа от веб-сервера и пользователь не может попасть на страницу:
Основные причины:
- веб-сервер перегружен и не ответил на запрос,
- на веб-сервере стоит система защиты, которая блокирует запросы от CloudFlare,
- веб-сервер недоступен,
- некорректный IP-адрес, установленный в настройках DNS на CloudFlare (Запрос от CloudFlare был отправлен на другой IP),
- проблемы с маршрутизацией сети между CloudFlare и веб-сервером.
Что делать? Для решения проблемы удостоверьтесь, что ваш веб-сервер активен и принимает HTTP-запросы. Проверьте, корректны ли настройки DNS в личном кабинете на CloudFlare.
Подробные рекомендации по исправлению ошибки 522 даны в справке CloudFlare.
Как исправить ошибку 522 в Google Chrome
Методы решения:
- Очистите кеш браузера. Браузер может быть переполнен данными о посещении сайтов. Освободите место в кэше браузера по инструкции.
- Удалите расширение браузера, которое нарушает соединение с сервером. Отключайте расширения по очереди, чтобы найти то, которое выдает ошибку.
- Проверьте подключение к интернету. Низкая скорость интернета или перебои при подключении может повлиять на время получения ответа сервера. Из-за этого и появляется ошибка 522.
Как проверить подключение к интернету
-
1.
Откройте командную строку. Для этого введите в поисковую строку «Командная строка» и выберите появившееся приложение:
-
2.
Введите в командной строке:
Готово, вы получите сообщение с количеством переданных и полученных пакетов. Если потерянных пакетов нет, значит, у вас хорошее соединение с интернетом и проблема в другом. Если потерянные пакеты есть, свяжитесь с интернет-провайдером, чтобы улучшить интернет-соединение.
4. Очистите кеш DNS. Проблемы с соединением могут возникнуть из-за несоответствия IP-адреса сервера сайта в кэше компьютера с реальным адресом. Такое происходит, когда владельцы сайтов по какой-либо причине меняют IP-адреса сервера. Чтобы устранить эту проблему, воспользуйтесь инструкцией.
Ошибка 524 A timeout occurred
Ошибка 524 возникает, когда подключение с веб-сервером установлено, но он не ответил за установленное время ожидания соединения:
Время ожидания HTTP-ответа на CloudFlare — 100 секунд. Если веб-сервер не предоставил ответ, система выдаст 524 ошибку.
Основные причины:
- длительная работа PHP-процесса или запроса к базе данных;
- веб-сервер перегружен. Проверьте доступные ресурсы сервера, в том числе процессор и оперативную память.
Если вы регулярно выполняете тяжелые запросы, которые могут занять больше 100 секунд, переместите эти процессы на субдомен, который не проксимируется в Cloudflare.
Рекомендации по исправлению ошибки 524 даны в справке CloudFlare.
Техническая поддержка
Специалисты Рег.ру не оказывают техническую поддержку по сервису CloudFlare. Для устранения ошибки обратитесь в техническую поддержку CloudFlare. Если некорректная работа сайта связана с хостингом Рег.ру, напишите заявку в службу технической поддержки.
Ошибки 520-524 требуют много знаний о сервере и его работе, поэтому самый верный способ решить проблему ― обратиться к хостинг-провайдеру, администратору сайта или к технической поддержке CloudFlare (если проблема на стороне их сервиса).
Помогла ли вам статья?
Спасибо за оценку. Рады помочь 😊
👍
Cloudflare will return an error 521 message when your website refuses a connection with Cloudflare.
This is frequently caused by firewalls or security software. The error looks something like this 👇🏻
Similar to Cloudflare error 520, there are a couple of different ways to fix this error.
Let’s dive into why error 521 happens and how to solve it.
What is Error 521 Web Server is Down?
Cloudflare error 521 occurs when Cloudflare cannot make a TCP connection to your origin server. Cloudflare attempted to connect to your origin server on port 80 or 443, but received a connection refused error. Error 521 is commonly caused by security or firewall software and happens if the origin server has directly denied Cloudflare’s proxy request.
What Causes the Error 521 Message?
There are two main reasons why Cloudflare will throw an error 521.
#1 Your server is down
Cloudflare tried to connect with your site’s server (i.e. the place where your website is hosted) but failed because the origin web server was offline.
If your server is up, the other possible reason is that—
#2 Your firewall or other security software could be interfering with Cloudflare requests
This is common because many server security solutions flag and block Cloudflare IP addresses.
Cloudflare works via a reverse proxy. That means that instead of having all your visitors’ IP addresses go straight to your origin web server, it will seem they are from Cloudflare IPs.
Many (poorly built) server security solutions will flag this disproportionate traffic and IP addresses as an attack.
Now that we understand a bit more about what error 521 is, here’s how to fix it.
How to Fix Error 521 on Cloudflare
- Check Your Origin Server
- Test Your Origin Web Server
- Whitelist All Cloudflare Ip Ranges in Your Server’s Firewall
- Check for More Specific Technical Issues
1. Check Your Origin Server
Cloudflare will not connect with your origin server if it’s offline or misconfigured. Your first call should be checking it before you go on to the next possible solutions.
Be sure to see that your web server is running properly independent of Cloudflare.
The easiest way to do this is to contact your hosting provider and ask them if their servers are online.
If you’d rather test them yourself, go to step 2 below.
2. Test Your Origin Web Server
To test if your origin server is working correctly, you need to run a cURL command. Mac and Linux users can directly do this from their terminal, while Windows users need to install the cURL to achieve the same.
Check the DNS section of the Cloudflare dashboard for the IP address of your server. You will find it in the A record for your domain.
Plugin http://x.x.x.x into the tool, where x.x.x.x is the actual IP address of your origin server.
An HTTP 200 response means your server is working correctly.
If there is a problem, you will get a Failed to Connect or Host Not Found Error.
This means there’s an issue with your server.
Contact your host’s support and ask them to help you get your server back up.
3. Whitelist All Cloudflare Ip Ranges in Your Server’s Firewall
If you’ve confirmed your site’s server is online but you’re still getting a Cloudflare error 521, the next step is to whitelist all of Cloudflare’s IP ranges.
This is an easy way to ensure that your server is not blocking them. You can check the list of Cloudflare IPs here.
Then using this list—
- Ensure that you are not blocking the Cloudflare IPs in iptables, .htaccess, or in your firewall.
- Check that your hosting service provider is not rate-limiting (you might have to ask them). Similarly, check to see if they are not blocking IP requests from Cloudflare IPs. If your hosting service does this, ask that they whitelist all IP addresses from here.
- A faulty firewall can also create a false 521 error instead of an error 524. The Error messages might be from a faulty firewall’s configuration that makes it drop packets instead of having a connection refused. If you’re on WordPress, try deactivating any security-related plugins to see if that resolves the issue.
4. Check for More Specific Technical Issues
If after trying the above, the error message persists, then you should consider any of the following technical solutions. Note that, your server’s configuration would determine the solution that would suit you.
- If you are new to Cloudflare’s HTTP, your origin web server might still have the wrong configurations. Ensure that the server allows Cloudflare IP addresses to access port 443. If you can’t re-configure your server/firewall to listen to port 443, try using flexible SSL instead of the Full SSL at Cloudflare.
- Ensure that your mod_security and Bad Behavior versions are up to date where applicable. Your mod_security particularly, check to see if its rules are not blocking Cloudflare requests.
- Custom Apache modules like mod_reqtimeout and mod-antiloris block IPs when they connect more than 22 times. Because your connections now come from Cloudflare, you will always exceed the limit hence the error. Disable and unload these modules, and the error should disappear.
- If you see the error message: “railgun.wan_error: connection failed”, your Railgun configuration is probably faulty. Please disable it and revisit your website.
- If the error happens when you use Workers to load Javascript on your website, note that Workers subrequest can override your DNS origin web server address. It does this by making a subrequest to an external website. Check the script to see if you’re testing the right origin web server.
Conclusion
Error 521 occurs when Cloudflare has its connection refused by the origin web server (i.e. where you host your website).
If none of the solutions above fixed your issue, I’d recommend contacting Cloudflare support and asking for their help. I hope you get this issue fixed soon 🙂️
If you’re looking for (free) tips to optimize your site speed with Cloudflare and rank higher on Google,
you can follow me on Twitter 👉🏻 @bitofseo.
Please DM me if you have any questions about this Cloudflare article (or have some feedback to make it better 😄️).
When troubleshooting most 5XX errors, the correct course of action is to first contact your hosting provider or site administrator to troubleshoot and gather data.
Required error details for hosting provider
When contacting your hosting provider, give them the following information:
- Specific 5XX error code and message.
- Time and timezone the 5XX error occurred.
- URL that resulted in the HTTP 5XX error (for example:
https://www.example.com/images/icons/image1.png).
The error cause is not always found in the origin server error logs. Check logs of all load balancers, caches, proxies, or firewalls between Cloudflare and the origin web server.
Additional details to provide to your hosting provider or site administrator are listed within each error description below. Cloudflare Custom Error Pages change the appearance of default error pages discussed in this article.
Error analytics
Error Analytics per domain are available within Zone Analytics. Error Analytics allows insight into overall errors by HTTP error code and provides the URLs, source IP addresses, and Cloudflare data centers needed to diagnose and resolve the issue. Error Analytics are based on a 1% traffic sample.
To view Error Analytics:
- Log in to the Cloudflare dashboard.
- Click the appropriate Cloudflare account for your site, then pick the domain.
- Next, click the Analytics & Logs app icon.
- Click Add filter, select Edge status code or Origin status code and choose any 5xx error code that you want to diagnose.
Error 500: internal server error
Error 500 generally indicates an issue with your origin web server. Error establishing database connection is a common HTTP 500 error message generated by your origin web server. Contact your hosting provider to resolve.
Resolution
Provide details to your hosting provider to assist troubleshooting the issue.
However, if the 500 error contains “cloudflare” or “cloudflare-nginx” in the HTML response body, provide
Cloudflare support with the following information:
- Your domain name
- The time and timezone of the 500 error occurrence
- The output of www.example.com/cdn-cgi/trace from the browser where the 500 error was observed (replace www.example.com with your actual domain and hostname)
Error 502 bad gateway or error 504 gateway timeout
An HTTP 502 or 504 error occurs when Cloudflare is unable to establish contact with your origin web server.
There are two possible causes:
- (Most common cause) 502/504 from your origin web server
- 502/504 from Cloudflare
502/504 from your origin web server
Cloudflare returns an Cloudflare-branded HTTP 502 or 504 error when your origin web server responds with a standard HTTP 502 bad gateway or 504 gateway timeout error:
Resolution
Contact your hosting provider to troubleshoot these common causes at your origin web server:
- Ensure the origin server responds to requests for the hostname and domain within the visitor’s URL that generated the 502 or 504 error.
- Investigate excessive server loads, crashes, or network failures.
- Identify applications or services that timed out or were blocked.
502/504 from Cloudflare
A 502 or 504 error originating from Cloudflare appears as follows:
If the error does not mention “cloudflare,” contact your hosting provider for assistance on 502/504 errors from your origin.
Resolution
To avoid delays processing your inquiry, provide these required details to
Cloudflare Support:
- Time and timezone the issue occurred.
- URL that resulted in the HTTP 502 or 504 response (for example:
https://www.example.com/images/icons/image1.png) - Output from browsing to
<YOUR_DOMAIN>/cdn-cgi/trace.
Error 503: service temporarily unavailable
HTTP error 503 occurs when your origin web server is overloaded. There are two possible causes discernible by error message:
- Error doesn’t contain “cloudflare” or “cloudflare-nginx” in the HTML response body.
Resolution: Contact your hosting provider to verify if they rate limit requests to your origin web server.
- Error contains “cloudflare” or “cloudflare-nginx” in the HTML response body.
Resolution: A connectivity issue occurred in a Cloudflare data center. Provide
Cloudflare support with the following information:
- Your domain name
- The time and timezone of the 503 error occurrence
- The output of
www.example.com/cdn-cgi/trace from the browser where the 503 error was observed (replace
www.example.com with your actual domain and hostname)
Error 520: web server returns an unknown error
Error 520 occurs when the origin server returns an empty, unknown, or unexpected response to Cloudflare.
Resolution
Contact your hosting provider or site administrator and request a review of your origin web server error logs for crashes and to check for these common causes:
- Origin web server application crashes
- Cloudflare IPs not allowed at your origin
- Headers exceeding 16 KB (typically due to too many cookies)
- An empty response from the origin web server that lacks an HTTP status code or response body
- Missing response headers or origin web server not returning
proper HTTP error responses.upstream prematurely closed connection while reading response header from upstreamis a common error we may notice in our logs. This indicates the origin web server was having issues which caused Cloudflare to generate 520 errors.
If 520 errors continue after contacting your hosting provider or site administrator, provide the following information to
Cloudflare Support:
- Full URL(s) of the resource requested when the error occurred
- Cloudflare cf-ray from the 520 error message
- Output from
http://<YOUR_DOMAIN>/cdn-cgi/trace - Two HAR files:
- one with Cloudflare enabled on your website, and
- the other with Cloudflare temporarily disabled.
Error 521: web server is down
Error 521 occurs when the origin web server refuses connections from Cloudflare. Security solutions at your origin may block legitimate connections from certain
Cloudflare IP addresses.
The two most common causes of 521 errors are:
- Offlined origin web server application
- Blocked Cloudflare requests
Resolution
Contact your site administrator or hosting provider to eliminate these common causes:
- Ensure your origin web server is responsive
- Review origin web server error logs to identify web server application crashes or outages.
- Confirm
Cloudflare IP addresses are not blocked or rate limited - Allow all
Cloudflare IP ranges in your origin web server’s firewall or other security software - Confirm that — if you have your SSL/TLS mode set to Full or Full (Strict) — you have installed a Cloudflare Origin Certificate
- Find additional troubleshooting information on the
Cloudflare Community.
Error 522: connection timed out
Error 522 occurs when Cloudflare times out contacting the origin web server. Two different timeouts cause HTTP error 522 depending on when they occur between Cloudflare and the origin web server:
- Before a connection is established, the origin web server does not return a SYN+ACK to Cloudflare within 15 seconds of Cloudflare sending a SYN.
- After a connection is established, the origin web server doesn’t acknowledge (ACK) Cloudflare’s resource request within 90 seconds.
Resolution
Contact your hosting provider to check the following common causes at your origin web server:
- (Most common cause)
Cloudflare IP addresses are rate limited or blocked in .htaccess, iptables, or firewalls. Confirm your hosting provider allows Cloudflare IP addresses. - An overloaded or offline origin web server drops incoming requests.
- Keepalives are disabled at the origin web server.
- The origin IP address in your Cloudflare DNS app does not match the IP address currently provisioned to your origin web server by your hosting provider.
- Packets were dropped at your origin web server.
If you are using Cloudflare Pages, verify that you have a custom domain set up and that your CNAME record is pointed to your custom Pages domain. Instructions on how to set up a custom Pages domain can be found here.
If none of the above leads to a resolution, request the following information from your hosting provider or site administrator before
contacting Cloudflare support:
- An MTR or traceroute from your origin web server to a
Cloudflare IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP recorded in the origin web server logs. - Details from the hosting provider’s investigation such as pertinent logs or conversations with the hosting provider.
Error 523: origin is unreachable
Error 523 occurs when Cloudflare cannot contact your origin web server. This typically occurs when a network device between Cloudflare and the origin web server doesn’t have a route to the origin’s IP address.
Resolution Contact your hosting provider to exclude the following common causes at your origin web server:
- Confirm the correct origin IP address is listed for A or AAAA records within your Cloudflare DNS app.
- Troubleshoot Internet routing issues between your origin and Cloudflare, or with the origin itself.
If none of the above leads to a resolution, request the following information from your hosting provider or site administrator:
- An MTR or traceroute from your origin web server to a
Cloudflare IP address that most commonly connected to your origin web server before the issue occurred. Identify a connecting Cloudflare IP from the logs of the origin web server. - If you use Railgun (deprecated) via a Cloudflare Hosting Partner, contact your hosting provider to troubleshoot the 523 errors.
- If you manage your Railgun (deprecated) installation, provide the following:
- A traceroute to your origin web server from your Railgun server.
- The most recent syslog file from your Railgun server.
Error 524: a timeout occurred
Error 524 indicates that Cloudflare successfully connected to the origin web server, but the origin did not provide an HTTP response before the default 100 second connection timed out. This can happen if the origin server is taking too long because it has too much work to do — e.g. a large data query, or because the server is struggling for resources and cannot return any data in time.
Resolution
Here are the options we’d suggest to work around this issue:
- Implement status polling of large HTTP processes to avoid hitting this error.
- Contact your hosting provider to exclude the following common causes at your origin web server:
- A long-running process on the origin web server.
- An overloaded origin web server.
- Enterprise customers can increase the 524 timeout up to 6000 seconds using the proxy_read_timeout API endpoint.
- If you regularly run HTTP requests that take over 100 seconds to complete (for example large data exports), move those processes behind a subdomain not proxied (grey clouded) in the Cloudflare DNS app.
- If error 524 occurs for a domain using Cloudflare Railgun (deprecated), ensure the lan.timeout is set higher than the default of 30 seconds and restart the railgun service.
Error 525: SSL handshake failed
525 errors indicate that the SSL handshake between Cloudflare and the origin web server failed. Error 525 occurs when these two conditions are true:
- The
SSL handshake fails between Cloudflare and the origin web server, and - Full or Full (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.
Resolution
Contact your hosting provider to exclude the following common causes at your origin web server:
- No valid SSL certificate installed
- Port 443 (or other custom secure port) is not open
- No SNI support
- The cipher suites presented by Cloudflare to the origin do not match the cipher suites supported by the origin web server
Additional checks
- Check if you have a certificate installed on your origin server. You can check this article for more details on how to run some tests. In case you don’t have any certificate, you can create and install our free Cloudflare origin CA certificate. Using Origin CA certificates allows you to encrypt traffic between Cloudflare and your origin web server.
- Review the cipher suites your server is using to ensure they match what is supported by Cloudflare.
- Check your server’s error logs from the timestamps you see 525s to ensure there are errors that could be causing the connection to be reset during the SSL handshake.
Error 526: invalid SSL certificate
Error 526 occurs when these two conditions are true:
- Cloudflare cannot validate the SSL certificate at your origin web server, and
- Full SSL (Strict) SSL is set in the Overview tab of your Cloudflare SSL/TLS app.
Resolution
Request your server administrator or hosting provider to review the origin web server’s SSL certificates and verify that:
- Certificate is not expired
- Certificate is not revoked
- Certificate is signed by a
Certificate Authority (not self-signed) - The requested or target domain name and hostname are in the certificate’s Common Name or Subject Alternative Name
- Your origin web server accepts connections over port SSL port 443
- Temporarily pause Cloudflare and visit
https://www.sslshopper.com/ssl-checker.html#hostname=www.example.com (replacewww.example.comwith your hostname and domain) to verify no issues exists with the origin SSL certificate:
If the origin server uses a self-signed certificate, configure the domain to use Full SSL instead of Full SSL (Strict). Refer to recommended SSL settings for your origin.
527 Error: Railgun Listener to origin error
A 527 error indicates an interrupted connection between Cloudflare and your origin’s
Railgun server (rg-listener). Common causes include:
- Firewall interference
- Network incidents or packet loss between the Railgun server and Cloudflare
Common causes of 527 errors include:
- Connection timeouts
- LAN timeout exceeded
- Connection refusals
- TLS/SSL related errors
If contacting Cloudflare support, provide the following information from the Railgun Listener:
- The full content of the railgun.conf file
- The full content of the railgun-nat.conf file
- Railgun log files that detail the observed errors
Connection timeouts
The following Railgun log errors indicate a connection failure between the Railgun Listener and your origin web server:
connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout
no response from origin (timeout) 0.0.0.0:80/example.com
Resolution
Contact your hosting provider for assistance to test for connectivity issues between your origin web server and your Railgun Listener. For example, a netcat command tests connectivity when run from the Railgun Listener to the origin web server’s SERVERIP and PORT (80 for HTTP or 443 for HTTPS):
LAN timeout exceeded
The following Railgun Listener log error is generated if the origin web server does not send an HTTP response to the Railgun Listener within the 30 second default timeout:
connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443: i/o timeout
The time is adjusted by the lan.timeout parameter of the railgun.conf file.
Resolution
Either increase the lan.timeout limit in railgun.conf, or review the web server configuration. Contact your hosting provider to confirm if the origin web server is overloaded.
Connection refusals
The following errors appear in the Railgun logs when requests from the Railgun Listener are refused:
Error getting page: dial tcp 0.0.0.0:80:connection refused
Resolution
Allow the IP of your Railgun Listener at your origin web server’s firewall.
The following errors appear in the Railgun logs if TLS connections fail:
connection failed 0.0.0.0:443/example.com: remote error: handshake failure
connection failed 0.0.0.0:443/example.com: dial tcp 0.0.0.0:443:connection refused
connection failed 127.0.0.1:443/www.example.com: x509: certificate is valid for
example.com, not www.example.com
Resolution
If TLS/SSL errors occur, check the following on the origin web server and ensure that:
- Port 443 is open
- An SSL certificate is presented by the origin web server
- the SAN or Common Name of the origin web server’s SSL certificate contains the requested or target hostname
- SSL is set to Full or Full (Strict) in the Overview tab of the Cloudflare SSL/TLS app
Error 530
HTTP error 530 is returned with an accompanying 1XXX error displayed. Search for the specific 1XXX error for troubleshooting information.
Enabling Load Balancing in China will cause a 530 error.
- Gathering information to troubleshoot site issues
- Contacting Cloudflare Support
- Customizing Cloudflare error pages
- MTR/Traceroute Diagnosis and Usage
- Cloudflare Community Tips
Introduction
The error message «Error 521: Web server is down» indicates an issue with the server. That is Cloudflare’s error message when the origin server does not respond to Cloudflare’s request.
This guide explains common causes and provides methods to troubleshoot and resolve error 521.
Prerequisites:
- Access to the Cloudflare account associated with the domain affected by the error.
- Origin web server access.
When a user wants to visit a website that uses Cloudflare’s content delivery network (CDN), the following happens:
- The web browser attempts to connect to Cloudflare, and
- Cloudflare tries to connect to the origin web server to display the content.
Error 521 occurs when Cloudflare is unable to connect to the website’s origin server.
What Causes Error 521?
The following issues cause Error 521: Web server is down:
- Origin web server is offline. The server is either offline or there is an issue with Apache or Nginx.
- Blocked/blacklisted Cloudflare IP addresses. All connection requests come via Cloudflare’s IPs. The origin server might have a server-side security configuration that blocks an IP address if it sends too many requests.
- Configuration issues with the origin web server. Servers must be specifically configured to work with a CDN. Error 521 might be due to a misconfigured server.
- Dropped packets due to Apache modules for Slowloris Denial of Service prevention. Security modules for Apache may block requests coming from Cloudflare if not configured properly.
How to Troubleshoot and Fix Error 521
Follow the steps below to troubleshoot and resolve error 521.
1. Check the Origin Server
To troubleshoot Cloudflare’s error 521, first check whether the origin server is online. This can be done by checking the server’s HTTP status code.
There are several ways to check the HTTP status of a website, outlined below.
Check HTTP Status Using cURL
Open the command prompt as an administrator (or terminal if you are using Mac or Linux), and run the curl command:
curl --silent --output /dev/null --write-out "%{http_code}" https://example.site The additional curl command options do the following:
--silent— Hides the progress bar (does not print the process of fetching the information).--output— Prints an output./dev/null— Suppress printing the entire HTML body.--write-out “%{http_code}”— Specifies the requested data/header to print the HTTP status code.
The output returns HTTP status code 200 if the server is up and running. A 5xx HTTP status code (for example, 500 – internal server error) indicates an issue with the origin server.
Check HTTP Status via Online HTTP Header Checker
Open any online HTTP header checker and paste the website’s URL or IP address into the designated field.
The result will be similar to the following image. The HTTP 200 status code indicates the server is up and running.
Review Origin Server Error Logs
If the output returns an 5xx HTTP status code (server-side errors), review the server’s error log to try and identify the root cause of the issue.
Server error logs can be accessed:
- Using a graphical user interface (for servers managed with a server management application)
- Via the terminal.
If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions:
- FreeBSD – /var/log/httpd-error.log
- Debian and Ubuntu – /var/log/apache2/error.log
- RHEL, Red Hat, CentOS, and Fedora – /var/log/httpd/error_log
Nginx error logs on the most popular Linux distributions, such as Ubuntu, Debian and CentOS, are located in /var/log/nginx.
Note: The user accessing the log must have write access to the error log directory.
If web server error logs are inaccessible to you, contact your hosting provider.
2. Whitelist Cloudflare IP Addresses and Ports
Cloudflare is the mediator between a private firewall and origin server. Every connection attempt made to a web page is processed by Cloudflare and directed to the origin server via a set of IP addresses and through specific network ports.
For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between Cloudflare and the origin server is interfered by the following:
- IP deny rules specified in .htaccess.
- Firewall rules that restrict communication with Cloudflare.
- Disabled ports through which Cloudflare communicates with the origin server.
- Rate limiting and other types of of server-side restrictions.
These issues can be resolved by:
- Checking .htaccess and firewall rules.
- Whitelisting Cloudflare IPs.
- Enabling the right ports.
Important: Some hosting providers whitelist Cloudflare IPs by default. Consult your hosting provider before troubleshooting.
Whitelist IP Addresses via .htaccess
To whitelist Cloudflare’s IP addresses in the .htaccess file, add all the addresses in the line starting with allow from all and separate individual IP addresses with spaces.
Whitelist IP Addresses via Firewall
The process of whitelisting IP addresses will vary from one firewall to another. As an example, this guide focuses on updating iptables rules. For other popular firewalls, refer to our articles on How to Use firewalld on CentOS 7 and How to Set Up UFW on Ubuntu.
To allow incoming connections from Cloudflare’s IP addresses in iptables:
- Open the Linux terminal.
- Connect to the server via SSH.
- Run the following command for every Cloudflare IP address (replace the example IP address with Cloudflare’s):
sudo iptables -A INPUT -s 192.168.0.1 --dport 443 -j ACCEPT Note: You can pass multiple IP address after the -s option. Just make sure to use commas between each individual IP address.
This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are:
-A— Adds rule to the rule chain.INPUT— Specifies that the rule refers to all incoming connections.-s— Specifies the source of traffic.-jACCEPT— Specifies what action should be taken with the data packets (accept).--dport443— Specifies the destination port number of a protocol — where to direct the packets. Open port 443 for connections on encrypted networks.
Note: When Full (Strict) protection (SSL/TLS mode) is active, Cloudflare proxies all traffic to port 443 – the port used for secure connections over encrypted networks.
Optional parameters include:
-I— Specifies the network interface whose traffic the filter applies to.-p— Specifies the network protocol filtering incoming traffic (TCP, UDP, SCTP, UDP-lite, ICMPv6, etc.)
Note: The parameters must always be written in the following order: -A, -i, -p, -s, --dport, -j.
If whitelisting Cloudflare’s IP addresses does not fix error 521, contact your hosting provider to check whether the issue is on their side.
3. Confirm That an SSL Certificate Is Installed
If Cloudflare IPs are whitelisted and access to port 443 is enabled, but error 521 persists, the issue may lie in your website’s security certificate.
Cloudflare requires a valid security certificate – the Cloudflare Origin Certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate will cause error 521 or 526 to appear.
Whether you have an SSL certificate or want to create one using Cloudflare, you will have to go through the process of creating an Origin CA security certificate:
- Log in to Cloudflare.
- Choose the domain you want to install the certificate on.
- Navigate to SSL/TLS > Origin Server.
- Click Create Certificate.
- Choose whether you want to:
- Generate a Cloudflare certificate (Generate private key and CSR with Cloudflare)
- Use an existing third-party certificate (Use my private key and CSR)
- Specify the hostnames the certificate should apply to (root zone and first-level wildcard hostname are included by default)
- Specify the expiration date of the certificate
- Click Next
- Choose the key format:
- PEM, DER — for servers using OpenSSL (Apache and NGINX)
- PKCS#7 (.p7b) — for servers using Windows and Apache Tomcat
- Save the origin certificate and private key into separate files
- Click OK
You now have an Origin CA security certificate that must be added to the origin server. To do this:
- Upload the certificate to your origin web server
- Update your web server configuration
- Enable SSL and port 443
Some origin web servers will also require a Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflare’s documentation.
Note: According to Cloudflare, the EEC version should not be used with Apache cPanel.
4. Check mod_security
If the mod_security Apache module acts as the origin server’s firewall, its core rules could be blocking Cloudflare requests, causing error 521 to appear.
If you are using mod_security, ensure that the latest version is being used and that none of the rules are blocking Cloudflare’s IP addresses.
5. Disable mod_antiloris and mod_reqtimeout
mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris Denial-of-Service (DoS) attacks by limiting the number of connections from unique IP addresses within a specified time frame.
Cloudflare is a reverse proxy, meaning it processes requests and directs them to the origin server. This is completed over a limited range of IP addresses. With mod_antiloris and mod_reqtimeout set up, once a Cloudflare IP address exceeds the connection limit, every following connection attempt from that address results in dropped packets.
To resolve the issue, disable and unload the modules so Cloudflare can work uninterrupted.
6. Check Railgun Configuration
Railgun is a WAN optimization protocol developed by Cloudflare to increase connection speed.
Improper Railgun configuration causes the error 521 to appear, accompanied by the «railgun.wan_error connection failed» error message.
To resolve the issue, disable Railgun so the website can be accessed and review the configuration. If you require assistance, reach out to Cloudflare Support.
7. Contact Cloudflare Support
If the troubleshooting methods did not help to locate the issue, contact Cloudflare Support. A representative will guide you through gathering the required information and further troubleshooting.
Conclusion
You now know what causes the «Error 521: Web server is down» error message and how to troubleshoot and fix it.
Use the information provided in this guide to fix error 521 and prevent it from happening in the future.
Error 521 is only one of numerous error messages that can appear when visiting a website that uses Cloudflare’s CDN. Another common error code is 520: Web Server is Returning an Unknown Error. Check out our guide that explains what error 520 means and how to fix it.