SYSTEMS OPERATIONAL
Troubleshooting

Cloudflare 521, 522 & 525 Errors: Causes and the Fix

Getwebup 6 min read

Your site is up when you check it directly on the server IP, but through Cloudflare it throws a wall of orange - "Error 521: Web server is down" or "Error 522: Connection timed out." That's not Cloudflare being down. It means Cloudflare's edge can't reach your origin server, and each error code tells you a different reason why.

Why This Is Confusing

These errors come from Cloudflare, not your hosting server, so your usual logs - Apache/Nginx error log, PHP error log - often show nothing at all. The request never made it to your server in the first place. You have to read the Cloudflare error code itself as the diagnostic.

The Error Codes and What They Actually Mean

CodeMeaningMost common cause
520Origin returned an empty or invalid responseServer crash, WAF/mod_security block, corrupted response
521Web server is downWeb server service stopped, or firewall blocking Cloudflare IPs
522Connection timed outPort 80/443 closed, server overloaded, routing issue
523Origin is unreachableDNS at Cloudflare points to a wrong or dead IP
525SSL handshake failedNo valid SSL cert on origin, or cipher mismatch
526Invalid SSL certificateSelf-signed/expired cert with "Full (strict)" SSL mode

Error 521: Web Server Is Down

Symptom

Visitors get the 521 page. Loading the origin IP directly (bypassing Cloudflare) also fails, or your firewall is blocking Cloudflare's IP ranges specifically.

Cause

Either the web server process isn't running, or a firewall (UFW, iptables, CSF in WHM) is rejecting connections from Cloudflare's edge network on port 80/443.

Fix

SSH into the server and confirm the service is actually running:

systemctl status nginx
systemctl status httpd   # or apache2 on Ubuntu

If it's down, start it and check journalctl -xe for the crash reason. If it's running, check whether your firewall is blocking Cloudflare's ranges. On a CSF/ConfigServer firewall:

csf -g 

If it shows as DROP, you need to allow Cloudflare's published IP ranges (listed at cloudflare.com/ips) in your firewall, or better, install the Cloudflare CSF plugin so the list stays current automatically. On a plain iptables/UFW VPS, add explicit allow rules for those ranges before your deny-all rule.

Error 522: Connection Timed Out

Symptom

The page hangs for several seconds before showing 522. It may come and go rather than being constant.

Cause

The TCP handshake to your origin on port 80 or 443 never completes. Usually one of: the port is closed at the OS firewall level, the server is so overloaded it can't accept new connections, or there's a routing/network issue between Cloudflare and your host.

Fix

Check the ports are actually listening:

ss -tlnp | grep -E ':80|:443'

If nothing is listening on 443, that's your answer - fix the SSL vhost config. If the ports are open, check server load next:

uptime
free -h

A load average several times your CPU core count, or memory near zero with heavy swapping, means the server is too busy to answer in time. This is the same root cause covered in our VPS high-CPU troubleshooting guide - find the process eating resources and fix it there. If load looks fine, ask your provider to check for packet loss or routing issues between their network and Cloudflare's edge.

Error 523: Origin Is Unreachable

Cause

Cloudflare's DNS record for your domain is pointing at an IP address that doesn't exist or doesn't belong to your server anymore - common right after a server migration when the old IP is decommissioned.

Fix

In the Cloudflare dashboard, go to DNS and confirm the A record's IP matches your current server IP exactly:

dig +short yourdomain.com @1.1.1.1

Compare that against your actual server IP from your hosting panel. If they don't match, update the A record and give it a few minutes - Cloudflare-proxied records usually update fast since Cloudflare's own edge serves the change immediately.

Error 525: SSL Handshake Failed

Cause

Cloudflare tried to open an HTTPS connection to your origin and the handshake failed - almost always because there's no valid SSL certificate installed on the server, or your SSL mode is set to "Full" or "Full (strict)" but the origin only serves HTTP.

Fix

Test the origin's SSL directly:

openssl s_client -connect your-server-ip:443 -servername yourdomain.com

If it fails to connect or shows no certificate, install one. In cPanel, check SSL/TLS Status or run AutoSSL again - see our AutoSSL troubleshooting guide if it keeps failing. On a bare VPS behind Nginx, either issue a Let's Encrypt cert or, if you'd rather not manage renewals per-origin, switch Cloudflare's SSL mode to Flexible temporarily (Cloudflare-to-visitor is HTTPS, Cloudflare-to-origin is HTTP) while you sort out the origin cert. Flexible isn't ideal long-term since the origin leg is unencrypted, so plan to move back to Full (strict) once a real cert is in place.

How to Diagnose Which One You're Actually Hitting

  1. Note the exact error code from the Cloudflare error page - 521, 522, 523, 525, or 526 point to different layers.
  2. Bypass Cloudflare temporarily by editing your local hosts file to point the domain at the origin IP directly, and see if the site loads over plain HTTP/HTTPS on the server itself.
  3. Check the web server's own status and firewall rules over SSH, as shown above.
  4. Confirm the DNS record in Cloudflare actually matches the live server IP.

Prevention

  • Whitelist Cloudflare's IP ranges in your firewall permanently, not just after an outage - use the CSF Cloudflare plugin or a cron job that refreshes the range list monthly, since Cloudflare occasionally updates it.
  • Set SSL mode to Full (strict) only once you've confirmed a valid, non-expired cert is on the origin - test with the openssl command above before flipping the switch.
  • Monitor origin uptime independently of Cloudflare (UptimeRobot, or a simple cron + curl check) so a 522 doesn't sit unnoticed for hours.
  • After any server migration, update the Cloudflare A record before decommissioning the old server, and keep the old IP alive for at least 24-48 hours as a safety net.

Most of these errors trace back to one of three things: the firewall is blocking Cloudflare, the DNS record is stale, or the SSL setup between Cloudflare and the origin doesn't match. Work through those three in order and you'll usually find it in a few minutes.

Frequently asked questions

Does a Cloudflare error mean my hosting is down?

Not always. It means Cloudflare's edge couldn't reach your origin server. The server itself might be running fine but blocked by a firewall rule, misconfigured SSL, or a stale DNS record pointing at the wrong IP.

What's the difference between 521 and 522?

521 usually means the connection was actively refused - the web server process is down or a firewall is dropping Cloudflare's IPs. 522 means the connection attempt just timed out with no response, often due to server overload or a closed port.

Why does bypassing Cloudflare fix the error temporarily?

If your site loads fine on the raw server IP but fails through Cloudflare, the problem is specifically in the path between Cloudflare's edge and your origin - almost always a firewall or SSL mismatch, not the site itself.

Should I use Flexible SSL to avoid error 525?

Only as a short-term fix. Flexible SSL encrypts traffic between Cloudflare and the visitor but not between Cloudflare and your origin, which can trigger redirect loops on WordPress. Install a real origin certificate and switch to Full (strict) as soon as possible.

How do I know if Cloudflare's IP ranges are being blocked?

Check your firewall logs for dropped connections from IPs in Cloudflare's published ranges (cloudflare.com/ips). On CSF, run csf -g <ip> against one of the blocked addresses to confirm.

#cloudflare #521-error #522-error #525-error #origin-server #ssl

Keep reading

Chat with Support