How is 521 different from 522?

521 means the origin actively refused the connection — Cloudflare's TCP attempt got a reset, usually because nothing is listening on the port or a firewall is rejecting it. 522 means the connection timed out — Cloudflare's packets got no answer at all, usually a firewall silently dropping them or a routing problem. Refused is fast; timed out hangs.

Is 521 a problem on Cloudflare's side?

No. 521 confirms Cloudflare's edge is working and reached the network; it is the origin that refused the connection. The fix is always on the origin server or its firewall, not in the Cloudflare dashboard.

I can load the site directly by IP, so why 521?

Loading it from your own machine proves the server is up for you, not for Cloudflare. The usual cause is a firewall that allows your IP but blocks Cloudflare's IP ranges, so Cloudflare's connection is refused while yours succeeds.

Views: 14

521 Web Server Is Down (Cloudflare) Fix

Cloudflare Error 521 means your origin refused the connection. Fix it in 3 checks: server up, Cloudflare IPs allowed, port open. Free instant check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

Problem

Cloudflare returns Error 521: Web server is down. Cloudflare’s edge reached your network but could not open a TCP connection to the origin — the origin refused it, or nothing was listening to accept it.

Symptoms

Cloudflare’s branded error page shows Error 521.
The error appears immediately, not after a long hang (an immediate refusal, distinct from the 522 timeout).
The site may load fine when you hit the origin IP directly from your own machine.

Top 3 Causes

The web server process is down - Nginx, Apache, or your app server crashed, was stopped, or is not listening on the expected port. With nothing bound to port 80/443, the kernel answers Cloudflare’s connection with a TCP reset, which Cloudflare reports as 521.
A firewall is rejecting Cloudflare’s IP ranges - An OS firewall (iptables/ufw), a host control panel, or a security plugin blocks Cloudflare’s IPs. A REJECT rule sends back a reset and produces a 521 (a silent DROP would instead time out as 522). Recently tightened rules are the usual trigger.
The DNS record points at the wrong origin - The proxied A/AAAA record points to an IP where no web server runs — an old server, a load balancer that is down, or a typo — so the connection is refused.

Diagnose with DechoNet

Port Check against your origin IP for ports 80 and 443 to confirm the origin is actually accepting connections from outside.
HTTP Check against the origin to see whether it responds at all once a connection opens.

Resolution Checklist

Confirm the web server is running and listening: systemctl status nginx (or your server) and ss -tlnp | grep -E ':(80|443)'. If nothing is bound, restart the service first.
Test the origin from outside, bypassing Cloudflare: curl -v http://ORIGIN_IP and curl -vk https://ORIGIN_IP. Connection refused confirms the origin, not Cloudflare, is at fault.
Allowlist Cloudflare’s published IP ranges (from cloudflare.com/ips) on ports 80 and 443 in every firewall layer — OS, host panel, and any cloud security group.
Because Cloudflare updates its ranges periodically, automate the allowlist (a cron job pulling cloudflare.com/ips) so a future range change does not silently re-break the origin.
Verify the proxied DNS record points to the IP where the web server actually runs.
Re-run Port Check on the origin to confirm 80/443 now accept connections, then reload the site.

When to Escalate

If a managed host or platform controls the firewall and you cannot add Cloudflare’s ranges yourself, send the provider the IP list from cloudflare.com/ips and ask them to allow it on 80/443.
Intermittent 521s that come and go with traffic usually point to the web server crashing under load or a connection-limit cap — investigate origin capacity and process restarts rather than the firewall.