Error Medic

Resolving Cloudflare Error 522: Origin Connection Timed Out

Comprehensive troubleshooting guide to fix the Cloudflare 522 Connection Timed Out error. Learn how to diagnose firewalls, server overloads, and SSL handshake f

Last updated:
Last verified:
1,486 words
Key Takeaways
  • A 522 error means Cloudflare could not establish a TCP connection to your origin server within 15 seconds.
  • The most common root cause is a restrictive origin firewall (UFW, iptables, or Cloud Security Groups) blocking Cloudflare's IP addresses.
  • Quick fix: Verify the origin server is online, check CPU/Memory usage, ensure all Cloudflare IPs are whitelisted, and validate your SSL/TLS certificates.
Common 522 Error Fix Approaches Compared
Resolution MethodRoot Cause AddressedEstimated TimeRisk Level
Whitelist Cloudflare IPsFirewall dropping packets from CF edge nodes5-10 minutesLow
Scale Origin ResourcesOrigin server CPU/RAM exhaustion causing drops15-30 minutesMedium
Enable TCP Keep-AlivesConnections dropping prematurely5 minutesLow
Update Origin SSL CertificatesCloudflare certificate expired / Handshake failures15-20 minutesHigh

Understanding the Cloudflare 522 Error

The Error 522: Connection timed out is an HTTP status code specific to Cloudflare's reverse proxy infrastructure. When a user requests a web page, Cloudflare's edge network attempts to connect to your origin server to fetch the content. If Cloudflare cannot establish a TCP connection with your origin server within a specific timeframe, it terminates the request and presents the user with a 522 cloudflare timeout screen.

To understand why a cloudflare 522 origin connection timeout happens, it is crucial to understand the cloudflare default timeout limits. Cloudflare will wait exactly 15 seconds to establish a TCP connection. If your origin server does not return a SYN+ACK packet within those 15 seconds, the connection is considered dead. Furthermore, if a connection is established but the origin fails to respond to an HTTP request within 100 seconds (the standard cloudflare request timeout), you will typically see a 524 error, though severe network degradation can sometimes blur these symptoms into a general connection timed out cloudflare error.

Step 1: Diagnose the Origin Server Status

The very first step in fixing a cloudflare 522 fix workflow is to ensure your origin server is actually online and capable of accepting incoming traffic.

  1. Check Server Uptime: SSH into your server or use your cloud provider's console to verify the instance is running.
  2. Review Resource Utilization: Run top or htop to check for CPU or Memory exhaustion. If your server is under a DDoS attack (that bypassed Cloudflare) or a massive traffic spike, the kernel might drop incoming SYN packets because the somaxconn (listen backlog) queue is full. This directly leads to a 522 cloudflare timeout.
  3. Bypass Cloudflare Locally: Attempt to curl your web server directly from another machine or your local terminal, targeting the origin IP directly: curl -Iv http://YOUR_ORIGIN_IP. If this times out, the issue is entirely on your origin's network or web server configuration.

Step 2: Validate Firewall and Network Rules

The absolute most frequent cause of a 522 cloudflare error is an origin firewall blocking Cloudflare's IP addresses. Cloudflare acts as a reverse proxy, meaning all traffic hitting your origin server comes from Cloudflare's IP ranges, not the original visitors' IPs.

If you have default-deny rules in iptables, ufw, or AWS Security Groups, you must explicitly whitelist Cloudflare's IPv4 and IPv6 ranges. If you fail to do so, your server drops the packets, Cloudflare waits 15 seconds, and then throws the cloudflare connection timeout.

Use the script provided in the Code Block section of this guide to automatically fetch and whitelist Cloudflare IPs using UFW. If you are using AWS, ensure your Security Group attached to the EC2 instance allows inbound traffic on ports 80 and 443 from Cloudflare's CIDR blocks.

Step 3: Addressing SSL/TLS Handshake Failures

While a strict 522 is a TCP layer timeout, misconfigured SSL/TLS settings can cause the origin server web daemon (like Nginx or Apache) to hang up or drop connections abruptly, which Cloudflare sometimes interprets as a timeout or handshake failure.

You might encounter related issues such as a cloudflare handshake failure or specifically an ssl handshake failed cloudflare nginx error. This happens when:

  • Cloudflare certificate expired: If the origin certificate has expired and your Cloudflare SSL/TLS encryption mode is set to "Full (strict)", Cloudflare will refuse to connect. While this usually throws a 526 Invalid SSL certificate error, intermittent network drops during certificate validation can trigger timeouts.
  • Cloudflare ssl expired: Similarly, if the Edge certificate provisioned by Cloudflare expires (usually managed automatically, but can fail if domain validation fails), users won't even reach the edge, resulting in browser-level errors.
  • cloudflare sslv3 alert handshake failure: This highly specific error occurs when Cloudflare attempts to negotiate a modern TLS connection (TLS 1.2 or 1.3), but the origin server only supports deprecated protocols like SSLv3 or TLS 1.0, or there is a cipher suite mismatch. Nginx will drop the connection, logging an SSL alert.

To fix SSL Handshake Failed Cloudflare Nginx issues: Ensure your Nginx server block is configured to accept modern TLS protocols. Edit your nginx.conf or site-specific configuration:

server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    ssl_certificate /path/to/valid/cert.pem;
    ssl_certificate_key /path/to/valid/key.pem;

    # Enforce modern TLS, prevent SSLv3 alert handshake failures
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
}

Always ensure the certificate at /path/to/valid/cert.pem is not expired. You can use Cloudflare Origin CA certificates which last up to 15 years to prevent the cloudflare certificate expired issue entirely.

Step 4: Keep-Alive Configurations

Cloudflare utilizes Keep-Alive headers to maintain persistent connections to your origin server. This reduces the overhead of establishing new TCP connections for every request. If your origin server has Keep-Alives disabled, or the timeout is aggressively low, connections may drop prematurely.

In Nginx, verify your keepalive_timeout directive inside the http {} block:

http {
    # Set to a value higher than Cloudflare's expectation
    keepalive_timeout 60s;
    keepalive_requests 1000;
}

Step 5: Cloudflare Pages 522 Errors

It is relatively rare to see a cloudflare pages 522 error since Cloudflare Pages is a static site host running entirely on Cloudflare's edge. However, this can occur if your Pages project utilizes Cloudflare Functions (Workers) that act as middleware to fetch data from a slow or unresponsive external third-party API. If the fetch() call inside your Function takes longer than the worker execution limits or the external API drops the connection, a 522 or 524 error will cascade down to the Pages deployment. To resolve this, wrap your external API calls in try/catch blocks and implement fallback data or shorter timeout abort controllers.

Frequently Asked Questions

bash
#!/bin/bash
# Script to automatically fetch and whitelist Cloudflare IP addresses in UFW
# Run this on your origin server as root/sudo to resolve firewall-related 522 errors.

echo "Fetching Cloudflare IPv4 addresses..."
curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf_ips_v4

echo "Fetching Cloudflare IPv6 addresses..."
curl -s https://www.cloudflare.com/ips-v6 -o /tmp/cf_ips_v6

echo "Applying UFW rules..."
# Whitelist IPv4
for ip in $(cat /tmp/cf_ips_v4); do
  ufw allow from $ip to any port 80,443 proto tcp comment 'Cloudflare IPv4'
done

# Whitelist IPv6
for ip in $(cat /tmp/cf_ips_v6); do
  ufw allow from $ip to any port 80,443 proto tcp comment 'Cloudflare IPv6'
done

echo "Reloading UFW..."
ufw reload
echo "Cloudflare IPs successfully whitelisted!"

# Clean up
rm /tmp/cf_ips_v4 /tmp/cf_ips_v6
D

DevOps Troubleshooting Editorial

A collective of Senior Site Reliability Engineers and Systems Administrators dedicated to untangling complex network routing, reverse proxy configurations, and Linux server performance issues.

Sources

Related Guides

How to Fix Cloudflare 502 Bad Gateway, 504 Gateway Timeout, and Connection Errors
Comprehensive SRE guide to troubleshooting Cloudflare 502, 503, 504 errors, connection timeouts, and SSL handshake failures. Actionable fixes and root causes.
How to Fix Cloudflare Error 521: Web server is down
Fix Cloudflare Error 521 'Web server is down' by verifying origin server uptime, opening port 443, and allowing Cloudflare IPs in your firewall settings.
Troubleshooting Cloudflare 502 Bad Gateway and Connection Errors
Learn how to diagnose and fix Cloudflare 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout, SSL handshake failures, and other connection errors.
AWS ALB 502 Bad Gateway & 504 Gateway Timeout: Complete Troubleshooting Guide
Fix AWS ALB 502 Bad Gateway and 504 timeout errors fast. Covers target health, keep-alive mismatches, idle timeout tuning, and exact CLI diagnostic commands.