What does Cloudflare error 521 Web Server Is Down mean?

521 Web Server Is Down is a Cloudflare-specific error that means Cloudflare tried to open a TCP connection to your origin server but the connection was refused. Cloudflare itself is up; the problem is between Cloudflare and your origin. It usually means your web server is down, crashed, or actively rejecting connections from Cloudflare's IP ranges.

What is the difference between Cloudflare 521 and 522?

521 Web Server Is Down means Cloudflare's connection to the origin was actively refused (the server sent a TCP reset or nothing is listening). 522 Connection Timed Out means Cloudflare's connection attempt timed out with no response at all, usually because a firewall is silently dropping packets or the server is unreachable. 521 = refused, 522 = timed out.

How do I monitor for 521 errors?

UptimeSignal checks your site on a schedule and detects Cloudflare 521 responses, alerting you when your origin goes down behind Cloudflare. Because UptimeSignal checks from outside your network, it catches origin failures that internal health checks miss, including firewall changes that block Cloudflare's IPs.

521 Web Server Is Down (Cloudflare): Causes and Fixes

Q: What causes a 521 error?

Common causes: the origin web server (Nginx, Apache) is stopped or crashed, a firewall or security group is blocking Cloudflare's IP ranges, the origin is listening on the wrong port, the server is overloaded and dropping connections, an offline origin during deployment, or Cloudflare's IPs not being allowlisted after enabling the proxy (orange cloud).

Q: How do I fix a Cloudflare 521 error?

1. Confirm your web server is running (systemctl status nginx). 2. Allowlist Cloudflare's IP ranges in your firewall/security group. 3. Verify the server listens on the expected port (80/443). 4. Check the origin directly by IP to confirm it responds. 5. Review server resource limits if it's dropping connections under load. 6. Restart the web server and check error logs.

What It Means

521 Web Server Is Down is a Cloudflare-specific error. It means Cloudflare tried to open a TCP connection to your origin server but the connection was actively refused. Cloudflare itself is working fine — the problem is between Cloudflare and your origin. In practice, your web server is down, crashed, or rejecting connections from Cloudflare's IP ranges.

Error 521: Web server is down
Host Error
The web server is not returning a connection. As a result,
the web page is not displaying.

Common Causes

Origin server down: Nginx/Apache stopped or crashed
Firewall blocking Cloudflare: Cloudflare's IP ranges not allowlisted
Wrong port: Origin not listening on 80/443 as expected
Server overloaded: Connections dropped under heavy load
Deployment downtime: Origin offline during a deploy or restart
Proxy just enabled: Orange-cloud turned on before allowlisting Cloudflare IPs

How to Fix It

# 1. Confirm the web server is running
systemctl status nginx
systemctl status apache2

# 2. Verify it's listening on the expected port
ss -tlnp | grep -E ':80|:443'

# 3. Test the origin directly by IP (bypassing Cloudflare)
curl -v --resolve example.com:443:ORIGIN_IP https://example.com

# 4. Allowlist Cloudflare IP ranges in your firewall (UFW example)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
  sudo ufw allow from $ip to any port 443 proto tcp
done

Restart the web server and check its error logs (journalctl -u nginx -n 50)
Allowlist Cloudflare's IP ranges in your firewall and cloud security groups
Confirm the origin listens on the port Cloudflare connects to (80 or 443)
Check resource limits (CPU, memory, max connections) if it fails under load
If you just enabled the orange-cloud proxy, allowlist Cloudflare before traffic shifts

521 vs 522 vs 523

521 Web Server Is Down: Origin actively refused the connection (TCP reset or nothing listening)
522 Connection Timed Out: Connection attempt timed out — packets silently dropped or origin unreachable
523 Origin Is Unreachable: Cloudflare can't route to the origin at all (bad DNS/IP)

Shorthand: 521 = refused, 522 = timed out, 523 = unreachable. This is similar to a plain connection refused error, but reported by Cloudflare on your behalf.

How to Monitor for 521 Errors

A 521 means visitors see an error page even though Cloudflare is healthy — your origin is down. UptimeSignal checks your site from outside your network and detects Cloudflare 521 responses, alerting you the moment your origin stops accepting connections. Because the check runs externally, it catches firewall changes that block Cloudflare's IPs and origin crashes that internal health checks would miss. See also 522 Connection Timed Out.

Frequently Asked Questions

What does Cloudflare error 521 mean?

521 Web Server Is Down means Cloudflare tried to open a connection to your origin server but it was actively refused. Cloudflare is up; the problem is your origin — it's down, crashed, or rejecting connections from Cloudflare's IP ranges.

What causes a 521 error?

The origin web server is stopped or crashed, a firewall or security group blocks Cloudflare's IPs, the origin listens on the wrong port, the server is overloaded and dropping connections, the origin is offline during a deploy, or Cloudflare's IPs weren't allowlisted after enabling the proxy.

How do I fix a Cloudflare 521 error?

Confirm the web server is running (systemctl status nginx), allowlist Cloudflare's IP ranges in your firewall, verify it listens on port 80/443, test the origin directly by IP, review resource limits if it drops connections under load, and restart the server while checking error logs.

What's the difference between 521 and 522?

521 means Cloudflare's connection to the origin was actively refused (TCP reset or nothing listening). 522 Connection Timed Out means the connection attempt timed out with no response, usually because a firewall is silently dropping packets. 521 = refused, 522 = timed out.

Is a 521 error Cloudflare's fault or mine?

It's almost always an origin-side issue, not Cloudflare's. Cloudflare returns 521 specifically because it could reach the network but your origin refused the connection. Start by checking that your web server is running and that your firewall allows Cloudflare's IP ranges.

521 Web Server Is Down (Cloudflare)