Cloudflare will return an error 521 message when your website refuses a connection with Cloudflare.
This is frequently caused by firewalls or security software. The error looks something like this 👇🏻
Similar to Cloudflare error 520, there are a couple of different ways to fix this error.
Let’s dive into why error 521 happens and how to solve it.
What is Error 521 Web Server is Down?
Cloudflare error 521 occurs when Cloudflare cannot make a TCP connection to your origin server. Cloudflare attempted to connect to your origin server on port 80 or 443, but received a connection refused error. Error 521 is commonly caused by security or firewall software and happens if the origin server has directly denied Cloudflare’s proxy request.
What Causes the Error 521 Message?
There are two main reasons why Cloudflare will throw an error 521.
#1 Your server is down
Cloudflare tried to connect with your site’s server (i.e. the place where your website is hosted) but failed because the origin web server was offline.
If your server is up, the other possible reason is that—
#2 Your firewall or other security software could be interfering with Cloudflare requests
This is common because many server security solutions flag and block Cloudflare IP addresses.
Cloudflare works via a reverse proxy. That means that instead of having all your visitors’ IP addresses go straight to your origin web server, it will seem they are from Cloudflare IPs.
Many (poorly built) server security solutions will flag this disproportionate traffic and IP addresses as an attack.
Now that we understand a bit more about what error 521 is, here’s how to fix it.
How to Fix Error 521 on Cloudflare
- Check Your Origin Server
- Test Your Origin Web Server
- Whitelist All Cloudflare Ip Ranges in Your Server’s Firewall
- Check for More Specific Technical Issues
1. Check Your Origin Server
Cloudflare will not connect with your origin server if it’s offline or misconfigured. Your first call should be checking it before you go on to the next possible solutions.
Be sure to see that your web server is running properly independent of Cloudflare.
The easiest way to do this is to contact your hosting provider and ask them if their servers are online.
If you’d rather test them yourself, go to step 2 below.
2. Test Your Origin Web Server
To see if your website’s server is awake, you can send a special techy signal called a cURL command. It’s like sending a ping from your computer. If you’re using a Mac or Linux, it’s like a quick chat in your computer’s Terminal. Windows users? You’ll need to get cURL ready first.
Check the DNS section of the Cloudflare dashboard for the IP address of your server. You will find it in the A record for your domain.
Plugin http://x.x.x.x into the tool, where x.x.x.x is the actual IP address of your origin server.
An HTTP 200 response means your server is working correctly.
If there is a problem, you will get a Failed to Connect or Host Not Found Error.
This means there’s an issue with your server.
Contact your host’s support and ask them to help you get your server back up.
3. Whitelist All Cloudflare Ip Ranges in Your Server’s Firewall
If your website’s heart is beating (meaning it’s online) but Cloudflare still says “Error 521,” it’s time to make sure your server’s guest list includes Cloudflare’s IP addresses. It’s like telling your security guard to let friends from Cloudflare come in.
This is an easy way to ensure that your server is not blocking them. You can check the list of Cloudflare IPs here.
Then using this list—
- Ensure that you are not blocking the Cloudflare IPs in iptables, .htaccess, or in your firewall.
- Check that your hosting service provider is not rate-limiting (you might have to ask them). Similarly, check to see if they are not blocking IP requests from Cloudflare IPs. If your hosting service does this, ask that they whitelist all IP addresses from here.
- A faulty firewall can also create a false 521 error instead of an error 524. The Error messages might be from a faulty firewall’s configuration that makes it drop packets instead of having a connection refused. If you’re on WordPress, try deactivating any security-related plugins to see if that resolves the issue.
4. Check for More Specific Technical Issues
If after trying the above, the error message persists, then you should consider any of the following technical solutions. Note that, your server’s configuration would determine the solution that would suit you.
- If you are new to Cloudflare’s HTTP, your origin web server might still have the wrong configurations. Ensure that the server allows Cloudflare IP addresses to access port 443. If you can’t re-configure your server/firewall to listen to port 443, try using flexible SSL instead of the Full SSL at Cloudflare.
- Make sure your website’s security tools (like mod_security) are fresh and up-to-date. Especially check that they’re not mistakenly keeping Cloudflare out, thinking it’s up to no good.
- Some extra security features on your site might get suspicious if they see lots of visits from Cloudflare and block them. Imagine a bouncer counting people coming in; if the count goes over 22, they start turning people away. You might need to switch off these overly cautious security features to clear up the error.
- If you see the error message: “railgun.wan_error: connection failed”, your Railgun configuration is probably faulty. Please disable it and revisit your website.
- If the error happens when you use Workers to load Javascript on your website, note that Workers subrequest can override your DNS origin web server address. It does this by making a subrequest to an external website. Check the script to see if you’re testing the right origin web server.
Conclusion
Error 521 occurs when Cloudflare has its connection refused by the origin web server (i.e. where you host your website).
If none of the solutions above fixed your issue, I’d recommend contacting Cloudflare support and asking for their help. I hope you get this issue fixed soon 🙂️
