How to Fix Cloudflare Error 521: Web server is down
Fix Cloudflare Error 521 'Web server is down' by verifying origin server uptime, opening port 443, and allowing Cloudflare IPs in your firewall settings.
- Verify your origin web server (Nginx, Apache, IIS) is actively running and hasn't crashed due to resource exhaustion.
- Ensure your web server is listening on the correct ports (80 for HTTP, 443 for HTTPS) and binding to public IP addresses.
- Whitelist all Cloudflare IP address ranges in your host-level firewall (UFW, iptables) and cloud provider security groups.
- Configure security tools like Fail2Ban or ModSecurity to log the true client IP, preventing them from automatically banning Cloudflare edge nodes.
| Method | When to Use | Time | Risk |
|---|---|---|---|
| Restart Web Service | Service process crashed or hanging | 2 mins | Low |
| Whitelist CF IP Ranges | Firewall actively dropping CF edge requests | 10 mins | Medium |
| Adjust SSL/TLS Mode | Cloudflare attempting HTTPS on HTTP-only origin | 5 mins | Low |
| Reconfigure Fail2Ban | Host automatically banning Cloudflare proxies | 15 mins | Medium |
Understanding Cloudflare Error 521
When you use Cloudflare to protect and accelerate your website, it acts as a reverse proxy. Traffic flows from the visitor's browser, hits Cloudflare's edge network, and then Cloudflare forwards that request to your actual hosting environment (the origin server).
The Error 521: Web server is down message is an HTTP status code generated directly by Cloudflare. It specifically means that Cloudflare's edge successfully routed the request to your origin server's IP address, but the origin actively refused the TCP connection. This is distinct from a 522 timeout (where the server silently drops packets) or a 523 origin unreachable (routing failure).
A 521 error essentially says: "We knocked on the door, and the server explicitly slammed it in our face."
Root Causes of Error 521
- The web server process is offline: Nginx, Apache, or IIS has crashed or was stopped.
- Firewall interference: Your server's firewall (like iptables, UFW, or Windows Firewall) is configured to block or reject Cloudflare's IP addresses.
- Incorrect port binding: Cloudflare is trying to reach port 443 (HTTPS), but your server is only listening on port 80 (HTTP).
- Aggressive security modules: Tools like Fail2Ban, ModSecurity, or custom rate-limiting scripts are mistakenly identifying Cloudflare's proxy IPs as malicious attackers because all traffic appears to originate from them.
Step-by-Step Troubleshooting Guide
Step 1: Verify Origin Web Server Status
The most common reason for a connection refusal is that the service simply isn't running. SSH into your origin server and check the status of your web server daemon.
For Nginx on Debian/Ubuntu systems:
systemctl status nginx
For Apache:
systemctl status apache2
# or on RHEL/CentOS:
systemctl status httpd
If the status is failed or inactive, attempt to restart the service (sudo systemctl restart nginx). If it fails to restart, investigate your web server error logs (/var/log/nginx/error.log or journalctl -xe). Often, an underlying syntax error in your configuration files or a lack of available memory (OOM Killer) causes the crash.
Step 2: Confirm Port Bindings
Even if the web server is running, it must be listening on the interfaces and ports that Cloudflare is trying to reach. By default, Cloudflare connects over port 80 (HTTP) or 443 (HTTPS).
Check which ports are actively listening:
sudo ss -tulpn | grep -E ':80|:443'
You should see output indicating that your web service is listening on 0.0.0.0:80 and 0.0.0.0:443. If it is only listening on 127.0.0.1 (localhost), external requests from Cloudflare will be refused. Update your server blocks (Nginx) or Virtual Hosts (Apache) to bind to public IP addresses.
Step 3: Whitelist Cloudflare IP Ranges
Since Cloudflare operates as a reverse proxy, all inbound traffic to your origin server will originate from Cloudflare's IP ranges. If your host-level firewall or cloud provider's network security group restricts traffic to specific IPs or indiscriminately blocks connections, it will refuse Cloudflare's requests.
You must explicitly allow Cloudflare's IPv4 and IPv6 ranges.
If you use UFW (Uncomplicated Firewall), you can allow the IPs using a loop. First, verify your firewall status:
sudo ufw status
If enabled, you need to permit the specific ranges published on Cloudflare's official IP list (https://www.cloudflare.com/ips/). (See the Code Block section for an automated script to do this).
Note for Cloud Users: If you are hosted on AWS (EC2), Google Cloud, or DigitalOcean, ensure that your external VPC Security Groups or Cloud Firewalls also permit inbound TCP traffic on ports 80 and 443 from anywhere (0.0.0.0/0) or strictly from Cloudflare's IPs.
Step 4: Validate Cloudflare SSL/TLS Encryption Mode
Cloudflare offers several SSL/TLS encryption modes: Flexible, Full, and Full (Strict). A mismatch here often causes a 521 error.
- Flexible: Cloudflare connects to your origin over HTTP (port 80). If your origin server redirects all HTTP traffic to HTTPS (port 443), it creates a continuous redirect loop or a connection refusal if port 80 is closed.
- Full / Full (Strict): Cloudflare connects to your origin over HTTPS (port 443). If your origin does not have an SSL certificate installed or is not configured to listen on port 443, the connection is refused.
The Fix: Go to the Cloudflare Dashboard > SSL/TLS > Overview. Ensure your encryption mode matches your origin's capability. The industry best practice is to install a free Let's Encrypt certificate or a Cloudflare Origin CA certificate on your server and use Full (Strict) mode.
Step 5: Prevent Security Modules from Banning Cloudflare
If your site goes down intermittently with a 521 error, a security tool like fail2ban is likely automatically banning Cloudflare's IPs. Because Cloudflare proxies all requests, thousands of different visitors will appear in your origin server logs under just a handful of Cloudflare IP addresses.
When bad actors probe your site, Fail2Ban sees the malicious requests coming from a Cloudflare IP and dynamically creates an iptables rule to ban it. Consequently, all legitimate traffic passing through that Cloudflare edge node is also blocked.
To resolve this, you must configure your web server to restore original visitor IPs.
For Nginx:
Edit your nginx.conf and use the ngx_http_realip_module.
# Define Cloudflare IPs
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
# ... (add all CF IPs)
# Use the header provided by Cloudflare
real_ip_header CF-Connecting-IP;
Once configured, Nginx will log the actual visitor's IP instead of Cloudflare's proxy IP. Fail2Ban will then ban the malicious visitor, not Cloudflare.
Step 6: Test Origin Server Directly
To isolate whether the issue is strictly between Cloudflare and your origin, or if your origin is completely broken, you can bypass Cloudflare locally using curl.
Use the --resolve flag to map your domain to your origin's true IP address locally, forcing the request directly to the server:
curl -Iv --resolve yourdomain.com:443:YOUR_ORIGIN_IP https://yourdomain.com
If this command returns an HTTP/1.1 200 OK, your web server is functioning correctly, and the 521 error is definitely caused by a network barrier (firewall, routing, or ISP block) specifically targeting Cloudflare's IPs.
Frequently Asked Questions
# Bash script to automatically fetch Cloudflare IPs and allow them through UFW (Ubuntu/Debian)
#!/bin/bash
# Fetch IPv4 ranges
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
sudo ufw allow from $ip to any port 80 comment 'Cloudflare HTTP'
sudo ufw allow from $ip to any port 443 comment 'Cloudflare HTTPS'
done
# Fetch IPv6 ranges
for ip in $(curl -s https://www.cloudflare.com/ips-v6); do
sudo ufw allow from $ip to any port 80 comment 'Cloudflare HTTP'
sudo ufw allow from $ip to any port 443 comment 'Cloudflare HTTPS'
done
# Reload firewall rules
sudo ufw reload
echo "Cloudflare IPs successfully whitelisted in UFW."Error Medic Editorial
Error Medic Editorial comprises senior DevOps engineers, Cloud Architects, and SREs dedicated to providing reliable, heavily tested technical guides for production infrastructure.