Cloudflare Error 522: Connection Timed Out

The TCP connection to the origin server timed out before receiving a response.

The Cloudflare 522 "Connection Timed Out" error occurs when Cloudflare successfully establishes a TCP connection with your origin server, but this connection times out before the server responds. Unlike error 521 where the connection is immediately refused, 522 indicates your server is reachable but too slow to respond.

This error is particularly frustrating because it can be intermittent and difficult to reproduce. It typically occurs during peak load, when the server is overloaded, or in case of network issues between Cloudflare and your infrastructure. Cloudflare's default timeout is 100 seconds for establishing a connection.

In this in-depth guide, we analyze the technical causes of 522, advanced diagnostic methods to identify the source of the problem, and optimizations to apply to ensure acceptable response times. Continuous monitoring is essential to detect these slowdowns before they become errors.

Main causes of error 522

Connection timeout can have several origins, often related to performance or network:

  • Server overload: When CPU or RAM reach their limits, the server becomes unable to process new requests within the allotted time. Saturated PHP processes or Nginx workers cause queues that lead to timeout.
  • Network issues: Network latency between your server and Cloudflare datacenters, BGP routing issues, or congestion on your host's network can extend response times beyond the timeout.
  • Firewall in DROP mode: A firewall configured to "drop" packets instead of "reject" causes timeouts. The Cloudflare server waits for a response that never comes, instead of receiving an immediate refusal.
  • Incorrect keep-alive configuration: If keepalive_timeout is too short or keep-alive is disabled, persistent connections close prematurely, forcing new TCP connections that take time.

How to diagnose error 522

A systematic diagnosis identifies whether the problem comes from the server, network, or configuration:

  • Analyze server load: Use "htop" or "top" to check CPU and RAM at the time of errors. Check "cat /proc/loadavg" to see average load. A load higher than the number of CPUs indicates saturation.
  • Check active connections: Run "ss -s" to see the number of TCP connections. Too many connections in TIME_WAIT or ESTABLISHED may indicate a leak or poor connection management.
  • Test response times: From the server, measure response time with "time curl -o /dev/null -s http://localhost". A time greater than a few seconds locally indicates an application problem.
  • Examine web logs: Look for slow requests in access logs. Enable response time logging in Nginx with $request_time and $upstream_response_time to identify bottlenecks.

Solutions to fix error 522

Solutions depend on the cause identified during diagnosis:

  • Optimize server performance: Increase worker_processes and worker_connections in Nginx. For PHP-FPM, adjust pm.max_children based on available RAM. Enable PHP opcache to reduce compilation time.
  • Configure keep-alive correctly: In Nginx, set keepalive_timeout between 60 and 75 seconds, and keepalive_requests to 100 or more. These settings keep connections open and reduce TCP overhead.
  • Adjust firewall rules: Replace DROP rules with REJECT for non-Cloudflare IPs. For Cloudflare IPs, ensure they are accepted without overly restrictive rate limiting.
  • Increase system limits: Modify /etc/sysctl.conf to increase net.core.somaxconn and net.ipv4.tcp_max_syn_backlog. Also increase ulimit limits for open files.

Optimized Nginx configuration for Cloudflare

This Nginx configuration optimizes critical settings to avoid 522 timeouts:

# /etc/nginx/nginx.conf - Optimizations for Cloudflare 522

worker_processes auto;
worker_rlimit_nofile 65535;

events {
    worker_connections 4096;
    multi_accept on;
    use epoll;
}

http {
    # Keepalive for persistent connections
    keepalive_timeout 75;
    keepalive_requests 1000;

    # Generous timeouts
    client_body_timeout 60;
    client_header_timeout 60;
    send_timeout 60;

    # Optimized buffers
    client_body_buffer_size 128k;
    client_header_buffer_size 4k;

    # Upstream connections (PHP-FPM)
    upstream php {
        server unix:/run/php/php-fpm.sock;
        keepalive 32;
    }

    # FastCGI timeouts
    fastcgi_connect_timeout 60;
    fastcgi_send_timeout 180;
    fastcgi_read_timeout 180;
}

This configuration increases simultaneous connections, enables persistent connections with timeouts adapted to Cloudflare, and optimizes communications with PHP-FPM. Adjust values according to your server resources.

Preventing 522 errors

Prevention involves continuous monitoring and properly sized infrastructure:

  • Response time monitoring: Use MoniTao to track your site's response time. A gradual increase often indicates a performance problem before it causes 522s.
  • Auto-scaling or load balancing: Configure a load balancer in front of multiple servers or enable cloud auto-scaling to handle load peaks without timeout.
  • Aggressive caching: Maximize Cloudflare cache usage with appropriate Page Rules. Also enable application caching (Redis, Memcached) to reduce server load.
  • Slow query optimization: Identify and optimize slow SQL queries with EXPLAIN. Add appropriate indexes and avoid N+1 queries that multiply database access.

522 verification checklist

  • CPU and RAM load under 80% in normal conditions
  • keepalive_timeout configured between 60 and 75 seconds
  • worker_connections sufficient for traffic
  • Firewall in REJECT mode, not DROP
  • Local response time under 2 seconds
  • Active response time monitoring

Frequently asked questions about error 522

What is the difference between Cloudflare errors 521 and 522?

Error 521 indicates the connection is immediately refused (server down or port closed). Error 522 means the TCP connection is established but times out before getting a response (server too slow). 521 is an availability problem, 522 is a performance problem.

What is Cloudflare's default timeout?

Cloudflare waits 100 seconds to establish a TCP connection and receive an HTTP response. This delay cannot be modified on free plans. Enterprise plans allow adjusting these timeouts.

522 only appears under load. What to do?

This is typical of an undersized server. Optimize your configuration (PHP-FPM, Nginx workers), add caching, or increase server resources. Consider a load balancer to distribute the load.

How to know if the problem is network-related?

Test with MTR from your server to Cloudflare IPs (173.245.48.0/20). Packet loss or high latency indicates a network issue. Contact your host if the problem persists.

Can 522 errors be caused by a misconfigured CDN?

Yes, if you have another CDN or proxy in front of your server in addition to Cloudflare, timeouts can compound. Ensure each layer has compatible timeouts and connections are properly routed.

How to monitor effectively to prevent 522s?

Use MoniTao to monitor your site through Cloudflare with frequent checks. Configure alerts on response time (e.g., alert if > 5 seconds) to detect slowdowns before they cause timeouts.

Conclusion

Cloudflare error 522 is a signal that your origin server is struggling to respond in time. Whether it's overload, suboptimal configuration, or network issues, solutions exist and generally involve optimizing your infrastructure and server configuration.

The key to avoiding 522 errors is proactive monitoring combined with properly sized infrastructure. MoniTao allows you to continuously track response times and receive alerts at the first signs of slowdown, well before your users see timeout errors.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing