Skip to content

How to Fix Cloudflare 521 Web Server Is Down Error

DodaTech 2 min read

In this tutorial, you'll learn about How to Fix Cloudflare 521 Web Server Is Down Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

The Problem

Visitors see Error 521 Web Server Is Down. Cloudflare cannot establish a TCP connection to your origin server. Unlike 502 (bad response), error 521 means no connection was made at all. Cloudflare sent a SYN packet but never received a SYN-ACK back. The origin may be down, overloaded, or actively blocking Cloudflare's IP addresses.

Quick Fix

1. Check if your origin server is accessible

# Test directly (bypassing Cloudflare)
curl -v http://<your-server-ip>:80
curl -v https://<your-server-ip>:443

If this fails, your server or web service is down.

2. Check if Cloudflare IPs are blocked by firewall

# Check firewall rules
sudo iptables -L -n | grep DROP
sudo ufw status

# Check fail2ban
sudo fail2ban-client status

3. Allow Cloudflare IP ranges

# Download latest Cloudflare IP ranges
curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf-ips.txt
curl -s https://www.cloudflare.com/ips-v6 >> /tmp/cf-ips.txt

# Allow through ufw
for ip in $(cat /tmp/cf-ips.txt); do
  sudo ufw allow from $ip to any port 80,443 proto tcp
done

4. Check origin web server logs

sudo tail -100 /var/log/nginx/error.log
sudo tail -100 /var/log/apache2/error.log

5. Check server resource usage

top -bn1 | head -20
df -h
ss -s

6. Temporarily pause Cloudflare proxy

In the Cloudflare dashboard, toggle the proxy status from orange (proxied) to gray (DNS only). If the site works, the issue is between Cloudflare and your origin.

7. Restart the web server

sudo systemctl restart nginx
# or
sudo systemctl restart apache2

Common Causes

Cause Why It Happens Fix
Origin server down Server crashed or stopped Check systemctl status nginx
Firewall blocking Cloudflare IPs iptables or ufw blocks Cloudflare ranges Allow Cloudflare IPs
Fail2ban banned Cloudflare IPs Cloudflare IPs seen as login attempts Add Cloudflare IPs to fail2ban whitelist
Web server not listening Nginx/Apache/Node not started sudo systemctl start nginx
Port blocked by hosting provider Some providers block non-standard ports Use ports 80/443 only
DNS resolves to wrong IP Old A record points to wrong server Check DNS records in Cloudflare dashboard

Additional Troubleshooting

# Check the error message and stack trace for more context
echo "Review the full error output to identify the root cause"

If the above steps do not resolve the issue, examine the complete error message and stack trace. Often the key detail is in the middle of the traceback rather than the final line. Search for the error message in the project documentation or issue tracker for additional solutions.

Prevention

  • Allow all Cloudflare IP ranges in your firewall with a monthly cron job
  • Set up origin server monitoring with alerts for CPU, memory, and disk usage
  • Use Cloudflare's "Always Online" feature to serve cached content during outages
  • Test firewall rules after every change to ensure Cloudflare IPs aren't accidentally blocked

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro