How to Fix Cloudflare Error 521 in 7 Easy Ways

error 521

These days, all popular websites and eCommerce stores use Cloudflare as the content delivery system (CDN) for serving their global audience.

The visitors can see Error 521 WEB SERVER IS DOWN when the web server hosting the website contents is down, and the Cloudflare network can’t connect with it. This error indicates that Cloudflare cannot connect with the origin server, suggesting an issue with the server’s operation rather than Cloudflare’s infrastructure.

The main consequence of this error is that it renders your website inaccessible to users. When your site is unreachable, it can lead to a significant loss of traffic and potential revenue and harm your site’s reputation for reliability.

Therefore, resolving Error 521 is critical to ensure your website remains available and functional, maintaining a positive user experience, SEO rankings, and the overall credibility of your online presence.

This guide will help you go through the fixes you can apply for this error. However, let’s first discuss why this error happens in the first place.

Table Of Contents

  1. What is Error 521?
    1. Why is Error 521 Named So?
    2. Causes of Error 521
  2. How to Troubleshoot and Fix Error 521
    1. The Prerequisites
    2. Fix #1: Check the Origin Server
    3. Fix #2: Whitelist Cloudflare IP Addresses and Ports
    4. Fix #3: Verify SSL Certificate Installation
    5. Fix #4: Check mod_security Status
    6. Fix #5: Disable mod_antiloris and mod_reqtimeout
    7. Fix #6: Check Railgun Configuration
    8. Fix #7: Contact Cloudflare Support
  3. Conclusion
  4. FAQs

What is Error 521?

When Cloudflare cannot establish a TCP connection to the origin web server, the process triggers the HTTP status code 521. This indicates the website you’re trying to visit can’t be reached because the server hosting its contents is down.

When a visitor enters a Cloudflare-connected website’s address in their browser, the following two actions occur:

  • The browser connects to the Cloudflare infrastructure.
  • Cloudflare tries to connect to the website’s server to fetch a recent copy of the website’s contents.

If, however, Cloudflare is unable to establish contact with the website’s server, Error 521 is triggered.

Why is Error 521 Named So?

The 5xx series of HTTP status codes represents server errors, and 521 indicates Web Server Is Down.

Services like Cloudflare use these HTTP status codes to show that the original web server is experiencing connectivity problem(s) and the CDN is unable to establish a connection.

error 521

Causes of Error 521

Here are the key problems that typically result in Error 521:

  • Error 521 can be caused by server overloading, too many parallel requests, or the hosting provider’s infrastructure complications.
  • The server firewall or IDS can block Cloudflare IPs.
  • The server software (usually Apache or NGINX) is experiencing issues accepting requests or processing the responses.
  • The primary web server is not configured to work with a CDN like Cloudflare. Error 521 might happen if there’s a mismatch in API connections and processing.

How to Troubleshoot and Fix Error 521

We’ll first go through the prerequisites and then explore 7 methods to fix Error 521 effectively.

The Prerequisites

Before you go ahead with fixing Error 521, you need access to the following:

  • You have administrator privileges on the server hosting the website.
  • You have a Cloudflare account linked to the website’s domain.

Let’s explore the 7 methods to resolve Error 521, ensuring your website remains accessible and runs smoothly.

Fix #1: Check the Origin Server

The first fix for Cloudflare’s Error 521 is to confirm that the origin server hosting the website’s contents is operational. The easiest way is to check the server’s HTTP status code.

You can check the status through one of the following ways.

Check HTTP Status With cURL

Open the command prompt as an administrator (or terminal on Mac or Linux) and type in the cURL command.

# curl --silent --output /dev/null --write-out "%{http_code}" https://example.site

Let’s see the flags and options in this command in some detail:

  • –silent: Stop showing the progress bar. You also don’t see the information updates.
  • –output: Redirects the output.
  • /dev/null: The null device where the output of the command is directed.
  • –write-out “%{http_code}”: Only shows the HTTP status code you want.

If the server works fine, the output of the command shows an HTTP status code 200 OK. However, if there’s a problem with the server, you might see a 5xx code, like 500 INTERNAL SERVER ERROR, signaling a server problem.

curl command in error 521

Check HTTP Status Using an Online HTTP Header Checker

You can also check HTTP headers by entering the website’s URL or IP address into an online HTTP header checker tool. The output will be similar to the following screenshot.

http header checker in error 521

As you can see, our test server’s header contains HTTP 301.

Review Main Server Error Logs

As soon as you encounter a 5xx HTTP status code, you should check the server’s error log to see what went wrong and caused the problem.

You can find these error logs at standard locations within the system. Usually, each OS has specific log viewer applications that you can view through the GUI. Alternatively, access the logs through the command line or terminal for more straightforward inspection.

If you are on a Linux system, here are the standard locations for the Apache server error logs:

  • RHEL, Red Hat, CentOS, and Fedora:  /var/log/httpd/error_log
  • Debian and Ubuntu:  /var/log/apache2/error.log

If you are using NGINX as the server platform on mainstream Linux distributions such as Ubuntu, Debian, and CentOS, we suggest checking out /var/log/nginx.

Note: You should make sure that your user account has appropriate permissions to read and write to the error log directory/location.

Alternatively, If you can’t get to the web server’s error logs, contact your hosting provider for help.

Fix #2: Whitelist Cloudflare IP Addresses and Ports

Cloudflare works as an intermediary between your website and visitors, routing traffic through its network. When a user accesses your site, Cloudflare forwards this request to your server using specific IP addresses and ports.

Error 521 can occur if Cloudflare’s path to your server is blocked because of the following reasons:

  • The .htaccess rules may block Cloudflare’s IP addresses.
  • The server firewall settings prevent Cloudflare’s access to the server.
  • The ports assigned to Cloudflare communication are disabled or blocked.
  • The server has imposed limitations on outgoing data flow rate and volume.

We recommend the following actions to resolve these issues:

Note: Some hosting providers automatically whitelist Cloudflare’s IPs. We suggest consulting with your provider before making these changes.

Whitelist IP Addresses via .htaccess

You can easily whitelist Cloudflare’s IPs in the .htaccess file by adding them to the section labeled Allow from all.

When adding the addresses, make sure there’s space between each IP address so that the system can recognize each IP address. Once you save the changes, the Apache server will stop blocking Cloudflare’s IP addresses. This step allows Cloudflare to communicate with your server without being blocked.

htaccess in error 521

Whitelist IP Addresses via Firewall

Different firewalls have different ways of allowing (and blocking) specific IP addresses. For demonstration purposes, here’s how to let Cloudflare’s IPs through your firewall using iptables:

  • SSH into Your Server: Launch the terminal and connect to the server through SSH.
  • Add Rules for Cloudflare IPs:  Add an iptables rule with the following command for each of Cloudflare’s IP addresses. Remember to replace 10.10.0.78 with the actual Cloudflare IP:

# iptables -A INPUT -s 10.10.0.78 --dport 443 -j ACCEPT

Note: You can include multiple IP addresses with the -s option. Remember to separate them using commas.

This command allows connections from the specified Cloudflare IP address. The following is the command breakdown so you can understand how it functions.

  • -A: Adds a rule.
  • INPUT: Applies the rule to incoming connections.
  • -s: Specifies the source of traffic.
  • -j ACCEPT: Sets the rule to accept the traffic.
  • –dport 443: Directs traffic to port 443, used for secure connections.

Note: When Full (Strict) protection (SSL/TLS mode) is on, Cloudflare manages all traffic through port 443.

You can add the following optional parameters:

  • -I – Specifies the network interface.
  • -p – Defines the protocol (TCP, UDP, etc.).

Note: Always arrange the parameters in this order: -A, -i, -p, -s, –dport, -j.

Contact your hosting provider for further support if whitelisting Cloudflare’s IPs doesn’t resolve Error 521.

Fix #3: Verify SSL Certificate Installation

If Error 521 keeps showing up even after allowing Cloudflare IPs and opening port 443, the issue might be with your website’s SSL certificate. Cloudflare requires a valid SSL certificate, such as the Cloudflare Origin Certificate or one issued by a recognized certificate authority.

A missing or expired certificate could trigger errors like 521 or 526 INVALID SSL CERTIFICATE. The easiest fix is to install an SSL certificate on the server. We recommend consulting the documentation of your SSL certificate authority to see the installation steps.

We will illustrate the process of setting up a Cloudflare Origin Certificate:

  1. Log into the Cloudflare Dashboard: Sign into your Cloudflare account.
  2. Select Your Domain: Choose the domain on which you want to install the certificate.
  3. Navigate to SSL/TLS Section: Go to the SSL/TLS section, then click Origin Server.
  4. Create the Certificate: Click Create Certificate.
  5. Choose the Certificate Options: 
    • Create with Cloudflare: Choose to create a Cloudflare certificate and a key.
    • Use Existing Certificate: Opt to use a certificate from another provider.
  6. Specify Domain Names: Include your main domain and any subdomains.
  7. Set Expiry Date: Choose the certificate’s expiration date and click Next.
  8. Key Type Selection:
  9. Save Files Separately: Store the origin certificate and private key in different secure files.
  10. Click OK to exit.

Now that you’ve got the Origin CA security certificate, follow these steps to install it onto the origin server:

  • Put the certificate onto your main web server.
  • Update the settings on your web server.
  • Turn on SSL and open port 443.

Some main web servers might also need a Cloudflare Origin CA root certificate in addition to the certificate files. This certificate’s RSA and ECC versions are found in Cloudflare’s documentation.

Alternatively, Cloudflare recommends not using the ECC version with Apache cPanel.

Fix #4: Check mod_security Status

If you are using Apache as your web server, the mod_security module may block Cloudflare requests. As a result, the process can generate Error 521.

To fix this specific issue, make sure the mod_security module is up to date and its rules don’t block Cloudflare IPs.

Fix #5: Disable mod_antiloris and mod_reqtimeout

mod_antiloris and mod_reqtimeout are two security-focused Apache components that can block incoming requests and limit the number of connections from different IPs over a specific period to protect the server against attack scenarios such as DDoS.

These modules may inadvertently block Cloudflare requests which use a limited range of IP addresses. When these modules are active, Cloudflare’s repeated attempts from the same IP can exceed the connection limit, leading to the blocking of Cloudflare’s requests.

If you are experiencing errors such as Error 521, you can try disabling these modules to resolve Cloudflare connectivity issues.

Disabling mod_antiloris and mod_reqtimeout prevents these modules from interfering with Cloudflare’s functionality, allowing it to manage and forward incoming requests to your main server without disruption.

Fix #6: Check Railgun Configuration

Railgun is a tool developed by Cloudflare to speed up connections over wide-area networks (WAN). However, incorrect Railgun setup can lead to Error 521. If this is the case, you will see the railgun.wan_error connection failed message.

To fix this, you can temporarily disable Railgun to restore website functionality. Next, review and correct Railgun configuration. We strongly recommend reaching out to Cloudflare Support for assistance with Railgun setup or troubleshooting.

Fix #7: Contact Cloudflare Support

If you’ve tried all the above troubleshooting tips and still can’t resolve the problem, contact Cloudflare Support. They’ll help you gather the needed info and continue troubleshooting.

Conclusion

Understanding and resolving Error 521: Web server is down involves understanding the underlying causes and applying the right solutions. As we’ve discussed, this error mainly arises when Cloudflare cannot connect with your server.

This could be due to server downtime, firewall settings blocking Cloudflare’s requests, misconfigured SSL certificates, or issues with specific Apache modules like mod_security, mod_antiloris, and mod_reqtimeout.

By systematically following the fixes outlined in this guide – checking server status, updating firewall rules and SSL certificates, adjusting Apache module settings, and verifying Railgun configuration – you can effectively address the root causes of Error 521.

Additionally, these actions will help maintain a stable and accessible web server, preventing similar issues in the future.

RedSwitches offers the best dedicated server pricing and delivers instant dedicated servers, usually on the same day the order gets approved. Whether you need a dedicated server, a traffic-friendly 10Gbps dedicated server, or a powerful bare metal server, we are your trusted hosting partner.

FAQs

Q. What is Error 521, and how does it occur?

Error 521 happens when Cloudflare can’t connect to a website’s origin server. This issue can arise if the server is offline, not accepting connections, or because of specific server configurations.

Q. How do I troubleshoot and fix Error 521 with WordPress and Cloudflare?

To troubleshoot and fix Error 521 with WordPress and Cloudflare, you can start by checking if your origin server is online, ensuring that Cloudflare IP ranges are whitelisted on your server, and examining the server configuration to allow connections from Cloudflare.

Q. What are the common causes of Error 521 on a web server?

Common causes of Error 521 include the origin web server being offline, refusing connections from Cloudflare, misconfigured server settings, or the server being unable to handle incoming web requests.

Q. What should I do if I see the error message “Error 521: Web server is down” on my WordPress site?

If you encounter the error message Error 521: Web server is down on your WordPress site, check your server status to ensure it is online and accepting connections. You can then further troubleshoot the issue, including checking Cloudflare settings and configurations.

Q. Can Error 521 affect my WordPress site’s performance, and how do I resolve it?

Error 521 can impact your WordPress site’s performance by causing a connection failure between Cloudflare and your origin server. To resolve it, you should ensure your server is online, allow connections from Cloudflare, and investigate any server-related issues that may be causing the error.

Q. What are the most common errors that can cause the 521 error message on my WordPress site?

The most common errors that can cause the 521 error message on your WordPress site include the origin server being offline or refusing connections from Cloudflare, misconfigured server settings, and issues with Cloudflare’s ability to connect to your server.

Q. Why does the Error 521 message occur?

The Error 521 message occurs when the origin web server refuses the connection from Cloudflare. It means that Cloudflare attempted to connect to the web server, but the server denied the connection. This denial triggers the error message to appear.

Q. What are some common error codes related to Error 521?

Error 521 is an HTTP status code. Other related error codes include 520, which signifies an unknown connection issue between the origin server and Cloudflare, and 522, indicating that Cloudflare’s request to the origin server timed out.

Q. What is a reverse proxy, and how does it relate to Error 521?

A reverse proxy is a server that handles requests on behalf of another server. Error 521 can occur when the reverse proxy, such as Cloudflare, cannot connect with the origin web server. This could be due to various issues, and understanding the role of the reverse proxy is crucial in diagnosing the error.

Q. How do encryption modes impact Error 521?

Encryption modes, such as TLS/SSL, play a role in securing the connection between the user’s browser and the web server. Error 521 may arise if there are encryption-related issues between the reverse proxy and the origin web server. Exploring how encryption modes influence this error can help identify and resolve such issues.

Q. What role does the hosting server play in Error 521?

The hosting server is where the website’s files and data are stored. Error 521 can be linked to issues on the hosting server, such as server downtime or misconfigurations. Understanding the hosting server’s role is essential for troubleshooting and resolving Error 521 effectively.

Q. How does an origin web server error contribute to Error 521?

Error 521 happens when Cloudflare, which works as a go-between for a website and its visitors, can’t reach its main server. This usually means a problem with the server where the website’s content is stored. Understanding why this happens helps in figuring out the causes of Error 521.