Cloudflare will return an error 521 message when your website refuses a connection with Cloudflare.
This is frequently caused by firewall or security software. The error looks something like this 👇🏻
Similar to Cloudflare error 520, there are a couple of different ways to fix this error.
Let’s look a little close at why an error 521 occurs, and how to fix it.
What is Error 521 Web Server is Down?
Cloudflare error 521 occurs when Cloudflare cannot make a TCP connection to your origin server. Cloudflare attempted to connect to your origin server on port 80 or 443, but received a connection refused error. Error 521 is commonly caused by security or firewall software and happens if the origin server has directly denied Cloudflare’s proxy request.
What Causes the Error 521 Message?
There are two main reasons why Cloudflare will throw an error 521.
#1 Your server is down
Cloudflare tried to connect with your site’s server (i.e. the place where your website is hosted) but failed because the origin web server was offline.
If your server is up, the other possible reason is that—
#2 Your firewall or other security software could be interfering with Cloudflare requests
This is common because many server security solutions flag and block Cloudflare IP addresses.
Cloudflare works via a reverse proxy. That means that instead of having all your visitors’ IP addresses go straight to your origin web server, it will seem they are from Cloudflare IPs.
Many (poorly built) server security solutions will flag this disproportionate traffic and IP addresses as an attack.
Now that we understand a bit more about what error 521 is, here’s how to fix it.
How to Fix Error 521 on Cloudflare
- Check Your Origin Server
- Test Your Origin Web Server
- Whitelist All Cloudflare Ip Ranges in Your Server’s Firewall
- Check for More Specific Technical Issues
1. Check Your Origin Server
Cloudflare will not connect with your origin server if it’s offline or misconfigured. Your first call should be checking it before you go on to the next possible solutions.
Be sure to see that your web server is running properly independent of Cloudflare.
The easiest way to do this is to contact your hosting provider and ask them if their servers are online.
If you’d rather test them yourself, go to step 2 below.
2. Test Your Origin Web Server
To test if your origin server is working correctly, you need to run a cURL command. Mac and Linux users can directly do this from their terminal, while Windows users need to install the cURL to achieve the same.
Check the DNS section of the Cloudflare dashboard for the IP address of your server. You will find it in the A record for your domain.
Plugin http://x.x.x.x into the tool, where x.x.x.x is the actual IP address of your origin server.
An HTTP 200 response means your server is working correctly.
If there is a problem, you will get a Failed to Connect or Host Not Found Error.
This means there’s an issue with your server.
Contact your host’s support and ask them to help you get your server back up.
3. Whitelist All Cloudflare Ip Ranges in Your Server’s Firewall
If you’ve confirmed your site’s server is online but you’re still getting a Cloudflare error 521, the next step is to whitelist all of Cloudflare’s IP ranges.
This is an easy way to ensure that your server is not blocking them. You can check the list of Cloudflare IPs here.
Then using this list—
- Ensure that you are not bocking the Cloudflare IPs in iptables, .htaccess, or in your firewall.
- Check that your hosting service provider is not rate-limiting (you might have to ask them). Similarly, check to see if they are not blocking IP requests from Cloudflare IPs. If your hosting service does this, ask that they whitelist all IP addresses from https://www.cloudflare.com/ips.
- A faulty firewall can also create a false 521 error instead of an error 524. The Error messages might be from a faulty firewall’s configuration that makes it drop packets instead of having a connection refused. If you’re on WordPress, try deactivating any security-related plugins to see if that resolves the issue.
4. Check for More Specific Technical Issues
If after trying the above, the error message persists, then you should consider any of the following technical solutions. Note that, your server’s configuration would determine the solution that would suit you.
- If you are new to Cloudflare’s HTTP, your origin web server might still have wrong configurations. Ensure that the server allows Cloudflare IP addresses access port 443. If you can’t re-configure your server/firewall to listen to port 443, try using flexible SSL instead of the Full SSL at Cloudflare.
- Ensure that your mod_security and Bad Behavior versions are up to date where applicable. Your mod_security particularly, check to see if its rules are not blocking Cloudflare requests.
- Custom Apache modules like mod_reqtimeout and mod-antiloris block IPs when they connect more than 22 times. Because your connections now come from Cloudflare, you will always exceed the limit hence the error. Disable and unload these modules, and the error should disappear.
- If you see the error message: “railgun.wan_error: connection failed”, your Railgun configuration is probably faulty. Please disable it and revisit your website.
Error 521 occurs when Cloudflare has its connection refused by the origin web server (i.e. where you host your website).
If none of the solutions above fixed your issue, I’d recommend contacting Cloudflare support and asking for their help. I hope you get this issue fixed soon 🙂️