Introduction
The
error message “Error 521: The web server is down” indicates a problem with the server. That’s the Cloudflare error message when the origin server doesn’t respond to Cloudflare’s request.
This guide explains common causes and provides methods to troubleshoot and resolve error 521.
Cloudflare error 521: Web server is down” />
Prerequisites:
Access
- to the Cloudflare account associated with the domain affected by
- Access to the Origin web server.
the error.
What is error 521?
When a user wants to visit a website that uses Cloudflare’s content delivery network (CDN), the following happens:
the web browser tries to connect to Cloudflare and Cloudflare tries to connect to the origin web server to display the content.
Error 521 occurs when Cloudflare is unable to connect to the website’s
- origin server.
What causes error 521?
The following issues cause error 521: Web server is down:
The
- Origin web server is offline. The server is offline or there is a problem with Apache or Nginx.
- Cloudflare IP addresses blocked/blacklisted. All connection requests arrive through Cloudflare’s IPs. The origin server may have a server-side security configuration that blocks an IP address if it sends too many requests.
- Configuration issues with the source web server. Servers must be specifically configured to work with a CDN. Error 521 can be caused by a misconfigured server.
- Packages dropped due to Apache modules for Slowloris denial of service prevention. Security modules for Apache can block requests from Cloudflare if they are not configured correctly.
How to Fix and Fix Error 521
Follow the steps below to fix and resolve Error 521
.
1. Check
the origin server
To fix Cloudflare error 521, first check if the origin server is online. This can be done by checking the HTTP status code of the server.
There are several ways to check the HTTP status of a website, described below. Check HTTP status
using
cURL
Open the command
prompt as an administrator (or terminal if you are using Mac or Linux) and run
the curl command: curl -silent -output /dev/null -write-out “%{http_code}”
https://example.site Additional options in the curl command do the following:
–
- silent – Hides the progress bar (does not print the process of obtaining the information).
- -output – Print an output.
- dev/null – Suppresses printing of the entire HTML body.
- write-out “%{http_code}” – Specifies the data/header requested to print the HTTP status code.
/
–
The output returns the HTTP status code 200 if the server is running. A 5xx HTTP status code (for example, 500 – internal server error) indicates a problem with the source server.
Check HTTP status
via online HTTP header checker
Open any online HTTP header checker and paste the URL or IP address of the website into the designated field
.
The result will be similar to the following image. The HTTP status code 200 indicates that the server is running.
Review
source server error logs
If the output returns an HTTP status code 5xx (server-side errors), review the server error log to try to identify the root cause of the problem.
Server error logs can be accessed
:
- Using a graphical user interface (for servers managed with a server management application)
- Through
the terminal.
If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions
: FreeBSD – /var/log/httpd-error.log Debian and Ubuntu – /var/log/
- apache2
- RHEL, Red Hat
/error.log
, CentOS and Fedora – /var/log/httpd/error_log
Nginx error logs
on the most popular Linux distributions, such as Ubuntu, Debian, and CentOS, are located at /var/log/nginx.
If you cannot access the web server error logs, Contact your hosting provider.
2. Cloudflare IP Address and Port Whitelist Cloudflare
is the mediator between a private firewall and the origin server. Every connection attempt made to a web page is processed by Cloudflare and routed to the origin server through a set of IP addresses and through specific network ports.
For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between
Cloudflare and the origin server is interfered with by the following:
- IP deny rules specified in .htaccess
- Firewall rules that restrict communication
- Disabled ports through which Cloudflare communicates with the origin
- Rate limiting and other types of server-side restrictions.
.
with Cloudflare.
server.
These problems can be solved by:
- Checking .htaccess and firewall rules
- Cloudflare IP whitelist
- Enabling the correct ports.
.
.
IP address whitelisting via .htaccess To whitelist Cloudflare’s IP addresses in the .
htaccess file, add all addresses on the line starting with allow from all and separate individual IP addresses with spaces.
IP address whitelisting via firewall The process of
whitelisting
IP addresses
will vary from firewall to firewall. As an example, this guide focuses on updating iptables rules. For other popular firewalls, check out our articles on How to use firewalld on CentOS 7 and How to set up UFW on Ubuntu.
To allow incoming connections from
Cloudflare IP addresses in iptables:
- Open the Linux terminal. Connect
- to the server via SSH
- Run the following command for each Cloudflare IP address (replace the example IP address with Cloudflare’s): sudo
.
iptables -A INPUT -s 192.168.0.1
-dport 443 -j ACCEPT
This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are
: -A – Adds rule to the rule string. INPUT – Specifies
- that the rule refers to all incoming connections
- s: Specifies the source of the traffic.
- j ACCEPT – Specifies what action to take on the data packets (accept).
- –
- dport 443 – Specifies the destination port number of a protocol – where to direct packets. Open port 443 for connections on encrypted networks.
. –
–
Optional parameters include:
-I – Specifies the network
- interface to whose traffic the filter applies. –
- p – Specifies the network protocol that filters incoming traffic (TCP, UDP, SCTP, UDP-lite, ICMPv6, etc.)
If whitelisting Cloudflare’s IP addresses doesn’t fix the 521 error, contact your hosting provider to check if the problem is on your side.
3. Confirm that
an SSL certificate is installed
If Cloudflare’s IPs are whitelisted and port 443 access is enabled, but error 521 persists, the problem may be with your website’s security certificate
. Cloudflare requires a
valid security certificate: Cloudflare’s origin certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate will cause error 521 or 526 to appear.
Whether you have an SSL certificate
or want to create one with Cloudflare, you’ll need to go through the process of creating an origin CA security certificate:
Log in to
- Cloudflare
- Choose the domain in which you want to install the certificate
- Go to SSL/TLS > source server
- Click Create Certificate.
-
- with Cloudflare
- existing third-party certificate (Use my private key and CSR
)Use an
- to which the certificate should be applied (the root zone and top-level wildcard hostname are included by default)
- Specify the expiration date of the certificate
- Click NextChoose
- the key format:
- PEM, DER
- PKCS#7 (. p7b) – for servers using Windows and Apache Tomcat
– for servers using OpenSSL (Apache and NGINX)
- and private key in separate files
- Click OKYou now
.
.
.
Choose if you want to:Generate a Cloudflare certificate (Generate private key and CSR
)Specify the host names
Save the source certificate
have a source CA security certificate that needs to be added to the source server. To do this:
Upload the certificate to your origin web server
- Update web server settings
- Enable SSL and port 443
- origin web
Some
servers
will also require a Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflare’s documentation.
4. Check
mod_security If
the Apache mod_security module acts as the firewall for the origin server, its main rules could be blocking Cloudflare requests, causing error 521 to appear
.
If you are using mod_security, make sure that the latest version is being used and that none of the rules block Cloudflare’s IP addresses
.
5. Disable
mod_antiloris and mod_reqtimeout
mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris denial of service (DoS) attacks by limiting the number of connections from unique IP addresses within a specific time period
.
Cloudflare is a reverse proxy, which means it processes requests and directs them to the origin server. This is completed on a limited range of IP addresses. With mod_antiloris and mod_reqtimeout configured, once a Cloudflare IP address exceeds the connection limit, every subsequent connection attempt from that address results in dropped packets.
To resolve the issue, disable and download the modules so that Cloudflare can work without interruption.
6. Check Railgun settings Railgun
is a WAN optimization protocol developed by Cloudflare to increase connection speed
. Incorrect configuration of Railgun causes error 521 to appear,
accompanied by the error message “Connection error railgun.wan_error”.
To resolve the issue, disable Railgun so that the website can be accessed and review the settings. If you need help, contact Cloudflare support.
7. Contact
Cloudflare Support
If the troubleshooting methods did not help locate the problem, contact Cloudflare support. A representative will guide you through gathering the required information and troubleshooting.
Conclusion
Now you know what causes the error message “Error 521: The web server is down” and how to fix and fix it
.
Use the information provided in this guide to correct error 521 and prevent it from occurring in the future
. Error
521 is just one of numerous error messages that can appear when visiting a website that uses Cloudflare’s CDN. Another common error code is 520: The web server returns an unknown error. Check out our guide that explains what error 520 means and how to fix it.