Error 521: What Causes It and How to Fix It – phoenixNAP

Introduction

The

error message “Error 521: The web server is down” indicates a problem with the server. That’s the Cloudflare error message when the origin server doesn’t respond to Cloudflare’s request.

This guide explains common causes and provides methods to troubleshoot and resolve error 521.

<img src="https://phoenixnap.com/kb/wp-content/uploads/2023/02/how-to-fix-error-521.png" alt="How to fix

Cloudflare error 521: Web server is down” />

Prerequisites:

Access

  • to the Cloudflare account associated with the domain affected by
  • the error.

  • Access to the Origin web server.

What is error 521?

When a user wants to visit a website that uses Cloudflare’s content delivery network (CDN), the following happens:

the web browser tries to connect to Cloudflare and Cloudflare tries to connect to the origin web server to display the content.

Error 521 occurs when Cloudflare is unable to connect to the website’s

  1. origin server.
Cloudflare Error 521 Web server is downWhat causes error 521

?

The following issues cause error 521: Web server is down:

The

  • Origin web server is offline. The server is offline or there is a problem with Apache or Nginx.
  • Cloudflare IP addresses blocked/blacklisted. All connection requests arrive through Cloudflare’s IPs. The origin server may have a server-side security configuration that blocks an IP address if it sends too many requests.
  • Configuration issues with the source web server. Servers must be specifically configured to work with a CDN. Error 521 can be caused by a misconfigured server.
  • Packages dropped due to Apache modules for Slowloris denial of service prevention. Security modules for Apache can block requests from Cloudflare if they are not configured correctly.

How to Fix and Fix Error 521

Follow the steps below to fix and resolve Error 521

.

1. Check

the origin server

To fix Cloudflare error 521, first check if the origin server is online. This can be done by checking the HTTP status code of the server.

There are several ways to check the HTTP status of a website, described below. Check HTTP status

using

cURL

Open the command

prompt as an administrator (or terminal if you are using Mac or Linux) and run

the curl command: curl -silent -output /dev/null -write-out “%{http_code}”

https://example.site Additional options in the curl command do the following:

  • silent – Hides the progress bar (does not print the process of obtaining the information).
  • -output – Print an output.
  • /

  • dev/null – Suppresses printing of the entire HTML body.
  • write-out “%{http_code}” – Specifies the data/header requested to print the HTTP status code.

The output returns the HTTP status code 200 if the server is running. A 5xx HTTP status code (for example, 500 – internal server error) indicates a problem with the source server.

Check HTTP status

via online HTTP header checker

Open any online HTTP header checker and paste the URL or IP address of the website into the designated field

.

The result will be similar to the following image. The HTTP status code 200 indicates that the server is running.

How to check the HTTP status code using an online HTTP header checker

Review

source server error logs

If the output returns an HTTP status code 5xx (server-side errors), review the server error log to try to identify the root cause of the problem.

Server error logs can be accessed

:

  • Using a graphical user interface (for servers managed with a server management application)
  • Through

the terminal.

If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions

: FreeBSD – /var/log/httpd-error.log Debian and Ubuntu – /var/log/

  • apache2
  • /error.log

  • RHEL, Red Hat
  • , CentOS and Fedora – /var/log/httpd/error_log

Nginx error logs

on the most popular Linux distributions, such as Ubuntu, Debian, and CentOS, are located at /var/log/nginx.

If you cannot access the web server error logs, Contact your hosting provider.

2. Cloudflare IP Address and Port Whitelist Cloudflare

is the mediator between a private firewall and the origin server. Every connection attempt made to a web page is processed by Cloudflare and routed to the origin server through a set of IP addresses and through specific network ports.

For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between

Cloudflare and the origin server is interfered with by the following:

  • IP deny rules specified in .htaccess
  • .

  • Firewall rules that restrict communication
  • with Cloudflare.

  • Disabled ports through which Cloudflare communicates with the origin
  • server.

  • Rate limiting and other types of server-side restrictions.

These problems can be solved by:

  • Checking .htaccess and firewall rules
  • .

  • Cloudflare IP whitelist
  • .

  • Enabling the correct ports.

IP address whitelisting via .htaccess To whitelist Cloudflare’s IP addresses in the .

htaccess file, add all addresses on the line starting with allow from all and separate individual IP addresses with spaces.

IP address whitelisting via firewall The process of

whitelisting

IP addresses

will vary from firewall to firewall. As an example, this guide focuses on updating iptables rules. For other popular firewalls, check out our articles on How to use firewalld on CentOS 7 and How to set up UFW on Ubuntu.

To allow incoming connections from

Cloudflare IP addresses in iptables:

    Open the Linux terminal. Connect

  1. to the server via SSH
  2. .

  3. Run the following command for each Cloudflare IP address (replace the example IP address with Cloudflare’s): sudo
  4. iptables -A INPUT -s 192.168.0.1

-dport 443 -j ACCEPT

This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are

: -A – Adds rule to the rule string. INPUT – Specifies

  • that the rule refers to all incoming connections
  • . –

  • s: Specifies the source of the traffic.
  • j ACCEPT – Specifies what action to take on the data packets (accept).
  • dport 443 – Specifies the destination port number of a protocol – where to direct packets. Open port 443 for connections on encrypted networks.

Optional parameters include:

-I – Specifies the network

    interface to whose traffic the filter applies. –

  • p – Specifies the network protocol that filters incoming traffic (TCP, UDP, SCTP, UDP-lite, ICMPv6, etc.)

If whitelisting Cloudflare’s IP addresses doesn’t fix the 521 error, contact your hosting provider to check if the problem is on your side.

3. Confirm that

an SSL certificate is installed

If Cloudflare’s IPs are whitelisted and port 443 access is enabled, but error 521 persists, the problem may be with your website’s security certificate

. Cloudflare requires a

valid security certificate: Cloudflare’s origin certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate will cause error 521 or 526 to appear.

Whether you have an SSL certificate

or want to create one with Cloudflare, you’ll need to go through the process of creating an origin CA security certificate:

Log in to

  1. Cloudflare
  2. .

  3. Choose the domain in which you want to install the certificate
  4. .

  5. Go to SSL/TLS > source server
  6. .

  7. Click Create Certificate.
  8. Choose if you want to:Generate a Cloudflare certificate (Generate private key and CSR

    1. with Cloudflare
    2. )Use an

    3. existing third-party certificate (Use my private key and CSR
  9. )Specify the host names

  10. to which the certificate should be applied (the root zone and top-level wildcard hostname are included by default)
  11. Specify the expiration date of the certificate
  12. Click NextChoose
  13. the key format:
    1. PEM, DER
    2. – for servers using OpenSSL (Apache and NGINX)

    3. PKCS#7 (. p7b) – for servers using Windows and Apache Tomcat
  14. Save the source certificate

  15. and private key in separate files
  16. Click OKYou now

have a source CA security certificate that needs to be added to the source server. To do this:

Upload the certificate to your origin web server

  1. Update web server settings
  2. Enable SSL and port 443
  3. Some

  4. origin web
  5. servers

will also require a Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflare’s documentation.

4. Check

mod_security If

the Apache mod_security module acts as the firewall for the origin server, its main rules could be blocking Cloudflare requests, causing error 521 to appear

.

If you are using mod_security, make sure that the latest version is being used and that none of the rules block Cloudflare’s IP addresses

.

5. Disable

mod_antiloris and mod_reqtimeout

mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris denial of service (DoS) attacks by limiting the number of connections from unique IP addresses within a specific time period

.

Cloudflare is a reverse proxy, which means it processes requests and directs them to the origin server. This is completed on a limited range of IP addresses. With mod_antiloris and mod_reqtimeout configured, once a Cloudflare IP address exceeds the connection limit, every subsequent connection attempt from that address results in dropped packets.

To resolve the issue, disable and download the modules so that Cloudflare can work without interruption.

6. Check Railgun settings Railgun

is a WAN optimization protocol developed by Cloudflare to increase connection speed

. Incorrect configuration of Railgun causes error 521 to appear,

accompanied by the error message “Connection error railgun.wan_error”.

To resolve the issue, disable Railgun so that the website can be accessed and review the settings. If you need help, contact Cloudflare support.

7. Contact

Cloudflare Support

If the troubleshooting methods did not help locate the problem, contact Cloudflare support. A representative will guide you through gathering the required information and troubleshooting.

Conclusion

Now you know what causes the error message “Error 521: The web server is down” and how to fix and fix it

.

Use the information provided in this guide to correct error 521 and prevent it from occurring in the future

. Error

521 is just one of numerous error messages that can appear when visiting a website that uses Cloudflare’s CDN. Another common error code is 520: The web server returns an unknown error. Check out our guide that explains what error 520 means and how to fix it.

Contact US