How do I fix a 522 error on Cloudflare?

First verify your origin server is running and accessible. Whitelist all Cloudflare IP ranges in your firewall (cloudflare.com/ips). Check that the origin IP in Cloudflare DNS settings is correct. Ensure your web server is listening on the correct ports (80/443). Check server resource usage (CPU/memory). Contact your hosting provider if the server is unreachable.

What is the difference between Cloudflare 522 and 524 errors?

A 522 means Cloudflare couldn't establish a TCP connection to your origin (connection phase timeout — origin is unreachable). A 524 means Cloudflare connected successfully but the origin didn't send a response within 100 seconds (read phase timeout — origin is too slow). 522 is a connectivity issue; 524 is a performance issue.

How do I whitelist Cloudflare IPs to prevent 522 errors?

Get Cloudflare's IP ranges from cloudflare.com/ips. Add them to your firewall: for UFW use 'ufw allow from IP_RANGE to any port 443', for iptables use '-A INPUT -s IP_RANGE -p tcp --dport 443 -j ACCEPT'. Update these regularly as Cloudflare adds new IP ranges. Consider using Authenticated Origin Pulls for additional security.

522 Connection Timed Out: Causes and How to Fix

Q: What causes a 522 Connection Timed Out error?

A 522 is a Cloudflare-specific error that occurs when Cloudflare cannot establish a TCP connection to your origin server within 15 seconds. Causes include: origin server is down, firewall blocking Cloudflare IPs, server overloaded, wrong origin IP in Cloudflare DNS, or network routing issues between Cloudflare and your origin.

Q: How do I monitor for 522 errors behind Cloudflare?

Use UptimeSignal to monitor your origin server directly (bypassing Cloudflare) to catch outages before users see 522 errors. Also monitor the Cloudflare-fronted URL to detect proxy-level issues. This dual monitoring approach pinpoints whether problems are at the origin or the CDN layer.

HTTP 522 (Cloudflare)

Cloudflare couldn't establish a TCP connection to your origin server within 15 seconds.

What It Means

522 is a Cloudflare-specific error code. It means Cloudflare tried to connect to your origin server but couldn't establish a connection at all. This is different from a timeout waiting for a response (that's 524).

What happens:
User → Cloudflare → [Connection attempt to Origin] → No response → 522

Common Causes

Origin server is down — Your server isn't running at all
Firewall blocking Cloudflare — Your server's firewall is blocking Cloudflare's IP ranges
Wrong origin IP in Cloudflare — DNS is pointing to the wrong server
Port not open — Web server not listening on port 80/443
Server overloaded — Can't accept new connections
Network routing issues — Path between Cloudflare and origin is broken

How to Debug

Check if origin is running — Can you access it directly (bypassing Cloudflare)?
Check firewall rules — Are Cloudflare IPs allowed?
Verify Cloudflare DNS settings — Is the origin IP correct?
Check web server status — Is Nginx/Apache running?
Test from multiple locations — Is it a regional network issue?

Allow Cloudflare IPs

Cloudflare publishes their IP ranges. Your firewall must allow these:

# Get current Cloudflare IPs
curl https://www.cloudflare.com/ips-v4
curl https://www.cloudflare.com/ips-v6

# UFW example (Ubuntu)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    sudo ufw allow from $ip to any port 443
done

# iptables example
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    iptables -A INPUT -p tcp -s $ip --dport 443 -j ACCEPT
done

Quick Checks

# Check if web server is running
systemctl status nginx
systemctl status apache2

# Check if ports are open
ss -tlnp | grep -E ':80|:443'
netstat -tlnp | grep -E ':80|:443'

# Test connection to your origin directly
curl -v http://your-origin-ip/
curl -vk https://your-origin-ip/

# Check Cloudflare DNS settings
dig +short your-domain.com

522 vs Other Cloudflare Errors

522 Connection timed out - couldn't connect at all

523 Origin unreachable - DNS points to nothing

524 Origin timeout - connected but response took >100s

525 SSL handshake failed - certificate issues

Prevention

Keep Cloudflare IPs allowlisted (they update their ranges occasionally)
Monitor your origin server directly, not just through Cloudflare
Set up health checks in Cloudflare load balancer
Use a failover origin if your primary goes down
Subscribe to Cloudflare status updates

How to Monitor for 522 Errors

Monitor your origin server directly (bypassing Cloudflare) with UptimeSignal to catch outages before users see 522 errors. Also monitor the Cloudflare-fronted URL to detect CDN-layer issues. This dual approach pinpoints whether problems are at the origin or the proxy. See also: 504 Gateway Timeout, Connection Timeout.

Frequently Asked Questions

What causes a 522 Connection Timed Out error?

A 522 is Cloudflare-specific: Cloudflare couldn't establish a TCP connection to your origin server within 15 seconds. Causes: origin server is down, firewall blocking Cloudflare IPs, server overloaded, wrong origin IP in Cloudflare DNS, or network issues between Cloudflare and your hosting provider.

How do I fix a 522 error?

Verify your origin server is running. Whitelist all Cloudflare IP ranges in your firewall. Confirm the origin IP in Cloudflare DNS settings. Ensure your web server listens on ports 80/443. Check server resources with htop.

What is the difference between 522 and 524 errors?

522 = Cloudflare couldn't connect to your origin (TCP handshake failed -- origin is unreachable). 524 = Cloudflare connected but origin didn't respond within 100 seconds (read timeout -- origin is too slow). 522 is a connectivity problem; 524 is a performance problem. Check firewall for 522, check app performance for 524.

How do I whitelist Cloudflare IPs?

Get IPs from cloudflare.com/ips. For UFW: ufw allow from CIDR to any port 443. For iptables: -A INPUT -s CIDR -p tcp --dport 443 -j ACCEPT. Update regularly as Cloudflare adds new ranges. Consider Authenticated Origin Pulls for additional security.

Is a 522 error caused by Cloudflare or my server?

Almost always your server or the network path to it. Cloudflare is trying to connect and failing. Test by accessing your origin directly (bypassing Cloudflare): curl -v https://your-origin-ip. If it works directly but fails through Cloudflare, check your firewall allows Cloudflare IPs.

522 Connection Timed Out