When your Cloudflare server receives an invalid connection request so bungled that it can’t even classify the issue, it returns the annoyingly vague Error 520: Web Server Is Returning An Unknown Error.
No time to spare? Click here to jump to straight to how to fix this error.
What is Cloudflare Error 520: Web Server is Returning An Unknown Error?
Cloudflare Error 520 is a server-side diagnostic message indicating that even though a request reached the origin web server, the server received an invalid HTTP response or didn’t know how to interpret the request at all and was unable to proceed.
The most common causes for this are either a program or system task that was running out of resources and needed to be terminated, or the server was overloaded.
How To Fix Cloudflare Error 520: Web Server is Returning an Unknown Error
- Search Error Logs For Device Resets
- Restart PHP Applications On Your Origin Server
- Whitelist Your Cloudflare Origin Server IP Address
- Check Response Headers From Your Cloudflare Origin Web Server
- Lighten Your Cookie Load
- Correct Your Cloudflare Origin Server DNS Settings
- Examine Your Server Traffic
- Check For Non-HTTP Errors In Your Cloudflare Logs
1. Search Error Logs For Device Resets
If the origin web server or any of your networking equipment is updated or reset after a successful TCP handshake, headers from that connection will be out of date and the server won’t know how to handle further requests.
Typically, error 520 quickly clears on its own after the visitor refreshes the page.
This means if your users are regularly seeing the 520 error status code, it might mean that one of your devices is resetting unexpectedly.
Your Cloudflare origin web server logs can show you each instance of error 520 and different connection resets.
You can compare this data to the uptime listed in your firewall, load balancer, origin server, or other network hardware.
If this is the issue, reconfigure your device’s update or reboot schedule to coincide with your routine maintenance times.
Restart your Cloudflare origin server with this new schedule to force any existing sessions to reconnect.
2. Restart PHP Applications On Your Origin Server
While you’re checking out your origin web server error logs, you can also find out whether any of your PHP applications are crashing or overconsuming system resources.
Since your PHP applications may support critical services on your site from the application layer, users may encounter error 520 when applications at this OSI layer crash even though there’s a connected session in progress.
Restarting the affected application should clear the 520 error.
Services that are always online are more prone to overloading and crashing, so an important preventative measure is to schedule reboots during a routine maintenance period.
You can create a cron job to automatically perform these reboots to prevent always-online services from becoming overloaded and avoid issues with error 520.
3. Whitelist Your Cloudflare Origin Server IP Address
As a part of Cloudflare’s built-in security protocols, you have to whitelist your origin web server IP addresses in your Cloudflare dashboard.
Sometimes Cloudflare returns a more descriptive error code when an IP address is explicitly blocked.
But if a connection isn’t whitelisted at all and can’t be identified, the server won’t know how to handle it and throws the 520 error.
All you have to do is correct your A records to whitelist the appropriate IP addresses.
Be sure that your CNAME records are accurate and that all CNAMEs associated with your web server are whitelisted in your DNS settings, otherwise you may encounter error 520 or similar error messages.
4. Check Response Headers From Your Cloudflare Origin Web Server
Missing response headers and empty response headers coming from your Cloudflare server are common causes of the 520 error.
Check your origin response headers in your Cloudflare server’s HAR (HTTP Archive) files.
You can use this guide to find & access your HAR files (note that these may contain sensitive data).
Missing response headers can come from many different sources.
Use a debugger like Wireshark or Fiddler to debug further as these tools can attempt to trace requests and the data that makes them up.
If you see a response from an outdated user agent (web browser) it may be a signal that the connection is coming from an old version of Internet Explorer or Safari.
Make sure your site is compatible with common web browsers, although fringe user agent connections will sometimes appear no matter what.
5. Lighten Your Cookie Load
The more complex your web service, the more cookies you might be relying on to handle requests efficiently.
The problem is cookies increase the HTTP response header size attached to the request they’re sent over, and Cloudflare’s header size limit restricts headers to 8KB or less.
If you exceed Cloudflare’s header size limit, your origin web server won’t be able to parse the full connection request and will reply with a protocol violation warning or a timed-out HTTP response (due to rate-limiting rules).
You can access your server’s HAR files to review response header data to see if you’re using too many cookies (or cookies that are too big).
The HTTP archive shows you an example output of your headers
If your headers exceed the 8KB host HTTP header limit, you’ll need to work with your web developer to optimize your cookies.
6. Correct Your Cloudflare Origin Server DNS Settings
If you’re receiving an empty response from your web server, it means that your site doesn’t have any HTTP status code information or response body data.
This often indicates your web server configuration for your hosting provider is incorrect or outdated.
Contacting your hosting provider is the easiest way to determine whether you have the right DNS information.
Be aware that your corrected Cloudflare DNS settings can take up to 72 hours to propagate throughout your site depending on your hosting provider, especially if they must escalate a support ticket to do so.
Your host provider may have to flush your DNS cache on their end, which can lengthen this wait.
If missing or invalid HTTP response headers are the result of DNS errors, prepare your team and your users for your site to experience outages for up to 3 days.
Don’t forget to clear your site’s cache after updating any DNS settings. This also means clearing the DNS cache and the cache of any WordPress plugins installed on your site.
7. Examine Your Server Traffic
First, check for unusual traffic on your server.
Ensure you’re filtering requests on port 80 to restrict suspicious traffic and blocking spammy connections since this kind of overload can cause issues like errors 520 or 503.
If you see chunks of the same IP address and ray ID in a short period of time, block these connections.
Cloudflare proxied traffic must be whitelisted, so make sure to check your error log for any blocked connections from proxy IP addresses you want to permit.
If permitted traffic on port 80 has valid headers but it takes too long to receive a response from the origin server, you may experience a timeout unrelated to rate-limiting settings on your server.
Unexpected timeouts can result in error message 520, and you can turn to your HAR records again to see if any requests contain bulky or corrupted response bodies.
8. Check For Non-HTTP Errors In Your Cloudflare Logs
Error 520 is essentially a catch-all response for situations where your server can’t even recognize an incoming request.
Since every common HTTP issue has its own error code, you’ll often see error 520 when non-HTTP errors are preventing a successful server connection or causing a gateway timeout error.
Review your system resources and your network hardware for any stalled or crashed services.
You can look up the search term “520” to try and locate the Cloudflare response code in a given device’s error logs.
If you’re still seeing error 520 after reviewing all of your devices and your traffic, open a support ticket with Cloudflare and your hosting provider to see if any errors appear on their end.