Introduction
The error message "Error 521: Web server is down" indicates an issue with the server. That is Cloudflare's error message when the origin server does not respond to Cloudflare's request.
This guide explains common causes and provides methods to troubleshoot and resolve error 521.
Prerequisites:
- Access to the Cloudflare account associated with the domain affected by the error.
- Origin web server access.
What Is Error 521?
When a user wants to visit a website that uses Cloudflare's content delivery network (CDN), the following happens:
- The web browser attempts to connect to Cloudflare, and
- Cloudflare tries to connect to the origin web server to display the content.
Error 521 occurs when Cloudflare is unable to connect to the website's origin server.
What Causes Error 521?
The following issues cause Error 521: Web server is down:
- Origin web server is offline. The server is either offline or there is an issue with Apache or Nginx.
- Blocked/blacklisted Cloudflare IP addresses. All connection requests come via Cloudflare's IPs. The origin server might have a server-side security configuration that blocks an IP address if it sends too many requests.
- Configuration issues with the origin web server. Servers must be specifically configured to work with a CDN. Error 521 might be due to a misconfigured server.
- Dropped packets due to Apache modules for Slowloris Denial of Service prevention. Security modules for Apache may block requests coming from Cloudflare if not configured properly.
How to Troubleshoot and Fix Error 521
Follow the steps below to troubleshoot and resolve error 521.
1. Check the Origin Server
To troubleshoot Cloudflare's error 521, first check whether the origin server is online. This can be done by checking the server's HTTP status code.
There are several ways to check the HTTP status of a website, outlined below.
Check HTTP Status Using cURL
Open the command prompt as an administrator (or terminal if you are using Mac or Linux), and run the curl command:
curl --silent --output /dev/null --write-out "%{http_code}" https://example.site
The additional curl
command options do the following:
--silent
- Hides the progress bar (does not print the process of fetching the information).--output
- Prints an output./dev/null
- Suppress printing the entire HTML body.--write-out “%{http_code}”
- Specifies the requested data/header to print the HTTP status code.
The output returns HTTP status code 200 if the server is up and running. A 5xx HTTP status code (for example, 500 – internal server error) indicates an issue with the origin server.
Check HTTP Status via Online HTTP Header Checker
Open any online HTTP header checker and paste the website’s URL or IP address into the designated field.
The result will be similar to the following image. The HTTP 200 status code indicates the server is up and running.
Review Origin Server Error Logs
If the output returns an 5xx HTTP status code (server-side errors), review the server's error log to try and identify the root cause of the issue.
Server error logs can be accessed:
- Using a graphical user interface (for servers managed with a server management application)
- Via the terminal.
If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions:
- FreeBSD – /var/log/httpd-error.log
- Debian and Ubuntu – /var/log/apache2/error.log
- RHEL, Red Hat, CentOS, and Fedora – /var/log/httpd/error_log
Nginx error logs on the most popular Linux distributions, such as Ubuntu, Debian and CentOS, are located in /var/log/nginx.
Note: The user accessing the log must have write access to the error log directory.
If web server error logs are inaccessible to you, contact your hosting provider.
2. Whitelist Cloudflare IP Addresses and Ports
Cloudflare is the mediator between a private firewall and origin server. Every connection attempt made to a web page is processed by Cloudflare and directed to the origin server via a set of IP addresses and through specific network ports.
For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between Cloudflare and the origin server is interfered by the following:
- IP deny rules specified in .htaccess.
- Firewall rules that restrict communication with Cloudflare.
- Disabled ports through which Cloudflare communicates with the origin server.
- Rate limiting and other types of of server-side restrictions.
These issues can be resolved by:
- Checking .htaccess and firewall rules.
- Whitelisting Cloudflare IPs.
- Enabling the right ports.
Important: Some hosting providers whitelist Cloudflare IPs by default. Consult your hosting provider before troubleshooting.
Whitelist IP Addresses via .htaccess
To whitelist Cloudflare’s IP addresses in the .htaccess file, add all the addresses in the line starting with allow from all
and separate individual IP addresses with spaces.
Note: If you need help creating and editing the .htaccess file, refer to our guides How to Create & Edit the Default WordPress .htaccess File and How to Enable & Set Up .htaccess File on Apache.
Whitelist IP Addresses via Firewall
The process of whitelisting IP addresses will vary from one firewall to another. As an example, this guide focuses on updating iptables rules. For other popular firewalls, refer to our articles on How to Use firewalld on CentOS 7 and How to Set Up UFW on Ubuntu.
To allow incoming connections from Cloudflare’s IP addresses in iptables:
- Open the Linux terminal.
- Connect to the server via SSH.
- Run the following command for every Cloudflare IP address (replace the example IP address with Cloudflare’s):
sudo iptables -A INPUT -s 192.168.0.1 --dport 443 -j ACCEPT
Note: You can pass multiple IP address after the -s
option. Just make sure to use commas between each individual IP address.
This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are:
-A
- Adds rule to the rule chain.INPUT
- Specifies that the rule refers to all incoming connections.-s
- Specifies the source of traffic.-j
ACCEPT
- Specifies what action should be taken with the data packets (accept).--dport
443
- Specifies the destination port number of a protocol - where to direct the packets. Open port 443 for connections on encrypted networks.
Note: When Full (Strict) protection (SSL/TLS mode) is active, Cloudflare proxies all traffic to port 443 – the port used for secure connections over encrypted networks.
Optional parameters include:
-I
- Specifies the network interface whose traffic the filter applies to.-p
- Specifies the network protocol filtering incoming traffic (TCP, UDP, SCTP, UDP-lite, ICMPv6, etc.)
Note: The parameters must always be written in the following order: -A
, -i
, -p
, -s
, --dport
, -j
.
If whitelisting Cloudflare’s IP addresses does not fix error 521, contact your hosting provider to check whether the issue is on their side.
3. Confirm That an SSL Certificate Is Installed
If Cloudflare IPs are whitelisted and access to port 443 is enabled, but error 521 persists, the issue may lie in your website’s security certificate.
Cloudflare requires a valid security certificate – the Cloudflare Origin Certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate will cause error 521 or 526 to appear.
Whether you have an SSL certificate or want to create one using Cloudflare, you will have to go through the process of creating an Origin CA security certificate:
- Log in to Cloudflare.
- Choose the domain you want to install the certificate on.
- Navigate to SSL/TLS > Origin Server.
- Click Create Certificate.
- Choose whether you want to:
- Generate a Cloudflare certificate (Generate private key and CSR with Cloudflare)
- Use an existing third-party certificate (Use my private key and CSR)
- Specify the hostnames the certificate should apply to (root zone and first-level wildcard hostname are included by default)
- Specify the expiration date of the certificate
- Click Next
- Choose the key format:
- PEM, DER - for servers using OpenSSL (Apache and NGINX)
- PKCS#7 (.p7b) - for servers using Windows and Apache Tomcat
- Save the origin certificate and private key into separate files
- Click OK
You now have an Origin CA security certificate that must be added to the origin server. To do this:
- Upload the certificate to your origin web server
- Update your web server configuration
- Enable SSL and port 443
Note: For more help, check out our guides on How to Install an SSL Certificate on Apache CentOS 7 and How to Install SSL Certificate on NGINX.
Some origin web servers will also require a Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflare's documentation.
Note: According to Cloudflare, the EEC version should not be used with Apache cPanel.
4. Check mod_security
If the mod_security Apache module acts as the origin server’s firewall, its core rules could be blocking Cloudflare requests, causing error 521 to appear.
If you are using mod_security, ensure that the latest version is being used and that none of the rules are blocking Cloudflare’s IP addresses.
5. Disable mod_antiloris and mod_reqtimeout
mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris Denial-of-Service (DoS) attacks by limiting the number of connections from unique IP addresses within a specified time frame.
Cloudflare is a reverse proxy, meaning it processes requests and directs them to the origin server. This is completed over a limited range of IP addresses. With mod_antiloris and mod_reqtimeout set up, once a Cloudflare IP address exceeds the connection limit, every following connection attempt from that address results in dropped packets.
To resolve the issue, disable and unload the modules so Cloudflare can work uninterrupted.
6. Check Railgun Configuration
Railgun is a WAN optimization protocol developed by Cloudflare to increase connection speed.
Improper Railgun configuration causes the error 521 to appear, accompanied by the "railgun.wan_error connection failed" error message.
To resolve the issue, disable Railgun so the website can be accessed and review the configuration. If you require assistance, reach out to Cloudflare Support.
7. Contact Cloudflare Support
If the troubleshooting methods did not help to locate the issue, contact Cloudflare Support. A representative will guide you through gathering the required information and further troubleshooting.
Conclusion
You now know what causes the "Error 521: Web server is down" error message and how to troubleshoot and fix it.
Use the information provided in this guide to fix error 521 and prevent it from happening in the future.
Error 521 is only one of numerous error messages that can appear when visiting a website that uses Cloudflare's CDN. Another common error code is 520: Web Server is Returning an Unknown Error. Check out our guide that explains what error 520 means and how to fix it.