Cloudflare Error 521: Web Server Is Down

Cloudflare cannot establish a TCP connection with your origin server.

The Cloudflare 521 "Web Server Is Down" error indicates that Cloudflare attempted to establish a TCP connection with your origin server, but the connection was actively refused. Unlike other Cloudflare errors, the 521 means your web server is either stopped or inaccessible from Cloudflare datacenters.

This error is one of the most common encountered by sites using Cloudflare as a CDN or reverse proxy. It differs from 522 (timeout) because here the connection is refused immediately rather than timing out. Understanding this difference is crucial for effective diagnosis.

In this comprehensive guide, we will explore the main causes of error 521, advanced diagnostic methods, and proven solutions to quickly restore your service. Proactive monitoring of your infrastructure allows you to detect these issues before your users are affected.

Main causes of error 521

Error 521 occurs when Cloudflare cannot establish a TCP connection with your server. Here are the most common causes:

  • Web server stopped: Apache, Nginx, or your web server is no longer running. A crash, manual restart, or update may have stopped the service without you noticing.
  • Firewall blocking Cloudflare: Your firewall (iptables, UFW, CSF, or cloud firewall) is blocking Cloudflare IP ranges. These IPs must be explicitly allowed since all traffic passes through them.
  • Ports closed or misconfigured: Ports 80 (HTTP) and 443 (HTTPS) are not open or not listening. A misconfigured virtual host or server block can cause this issue.
  • Server overload: When the server reaches its simultaneous connection limits, it refuses new connections. This may appear as an intermittent 521.

How to diagnose error 521

A methodical diagnosis allows you to quickly identify the source of the problem:

  • Check web server status: Connect via SSH and run "systemctl status nginx" (or apache2). Verify the service is active and shows no errors in the status.
  • Test local connectivity: From the server itself, test with "curl -I http://localhost" to verify the server responds locally.
  • Check listening ports: Use "netstat -tlpn | grep -E '80|443'" or "ss -tlpn" to confirm your server is listening on the required ports.
  • Analyze logs: Examine /var/log/nginx/error.log or /var/log/apache2/error.log to identify configuration errors or resource issues.

Solutions to fix error 521

Once the cause is identified, apply the appropriate solution:

  • Restart web server: Run "systemctl restart nginx" or "systemctl restart apache2". Then check the status to confirm the service starts without errors.
  • Allow Cloudflare IPs: Check cloudflare.com/ips and add all IP ranges to your firewall. For UFW: "ufw allow from 173.245.48.0/20 to any port 443".
  • Check port configuration: Ensure your virtual hosts are listening on the correct ports. In Nginx, verify the "listen 80" and "listen 443 ssl" directives in your server blocks.
  • Increase connection limits: If the problem is overload, increase worker_connections in Nginx or MaxRequestWorkers in Apache, and check system limits (ulimit).

Automatic verification script

This bash script checks critical points for quick 521 error diagnosis:

#!/bin/bash
# Cloudflare 521 Diagnostic

echo "=== Web server check ==="
systemctl is-active --quiet nginx && echo "Nginx: OK" || echo "Nginx: STOPPED"
systemctl is-active --quiet apache2 && echo "Apache: OK" || echo "Apache: STOPPED"

echo -e "\n=== Listening ports ==="
ss -tlpn | grep -E ':80|:443'

echo -e "\n=== Local connectivity test ==="
curl -sI http://localhost | head -1

echo -e "\n=== Cloudflare IPs in iptables ==="
iptables -L -n | grep -c "173.245.48" && echo "Cloudflare IPs: Found" || echo "Cloudflare IPs: NOT FOUND"

echo -e "\n=== Recent web errors ==="
tail -5 /var/log/nginx/error.log 2>/dev/null || tail -5 /var/log/apache2/error.log

This script checks service status, listening ports, local connectivity, and firewall rules for Cloudflare. Run it with "sudo bash diagnostic.sh" for a quick overview of the situation.

Preventing 521 errors

Implement these best practices to avoid 521 errors:

  • Proactive monitoring: Use MoniTao to monitor your site through Cloudflare. You will be alerted as soon as a 521 error appears, before your users notice.
  • Automate firewall updates: Create a cron job that automatically updates Cloudflare IPs in your firewall. Cloudflare publishes these ranges which can change occasionally.
  • Configure automatic restarts: Use systemd to configure automatic restart of your web server in case of crash: "Restart=always" in the service file.
  • Monitor server resources: Monitor CPU, RAM, and connection count. Early warning on overload allows intervention before the server refuses connections.

521 verification checklist

  • Web server started and functional (systemctl status)
  • All Cloudflare IP ranges allowed in firewall
  • Ports 80 and 443 listening and accessible
  • Valid SSL configuration for port 443
  • Sufficient connection limits
  • Monitoring in place for early detection

Frequently asked questions about error 521

What is the difference between Cloudflare error 521 and 522?

Error 521 means the connection is immediately refused (server down or blocked), while 522 indicates the connection was established but timed out (timeout). 521 is generally easier to diagnose as it points to a service availability problem.

How to allow Cloudflare IPs in UFW?

Download the IP list from cloudflare.com/ips and create rules for each range. Example: "ufw allow from 173.245.48.0/20 to any port 80,443 proto tcp". Automate this update with a cron script.

Why does 521 appear intermittently?

An intermittent 521 is often caused by server overload temporarily refusing connections, or by an automatic web server restart process. Check logs and server load at the time of errors.

My server works but I still get error 521. What to do?

Check your firewall first. Even if the server responds locally, if Cloudflare IPs are blocked, you will get a 521. Also test with "curl --resolve" from a non-Cloudflare external IP.

Can Cloudflare Development mode cause 521s?

No, Development mode does not affect connectivity. It simply disables caching. If you have 521s, the problem is at the origin server level, not Cloudflare.

How to effectively monitor behind Cloudflare?

Use an external monitoring service like MoniTao that tests your site like a normal visitor, through Cloudflare. This detects 521, 522, 523, 524 errors and all availability issues visible to your users.

Conclusion

Cloudflare error 521 is generally simple to resolve once the cause is identified. In most cases, it is a stopped web server or misconfigured firewall. A methodical diagnosis checking service status, ports, and firewall rules allows you to restore service quickly.

Prevention remains the best strategy: proactive monitoring with MoniTao alerts you immediately in case of a 521 error, allowing you to intervene before the impact on your users becomes significant. Combined with automation scripts for firewall updates and service restarts, you can maintain high availability of your infrastructure behind Cloudflare.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing