How do I whitelist Cloudflare IPs?

Download the IP list from cloudflare.com/ips and add them to your firewall allow rules. For iptables: add each range with iptables -A INPUT -s IP_RANGE -p tcp --dport 443 -j ACCEPT.

Can a 521 be caused by SSL misconfiguration?

Not directly. A 521 means the connection was refused entirely. SSL issues typically cause 525 (SSL Handshake Failed) or 526 (Invalid SSL Certificate) errors instead.

HTTP 521 Web Server Is Down — Cloudflare Origin Server Unreachable

Critical5xx server error

Overview

Fix Cloudflare HTTP 521 error when the origin web server refuses or is unable to accept connections from Cloudflare's proxy.

Key Details

HTTP 521 is a Cloudflare-specific error indicating the origin server actively refused the connection
Cloudflare acts as a reverse proxy and must connect to your origin server to serve content
This error means Cloudflare cannot reach your web server at all — not even a timeout, but a direct refusal
The origin server may be down, firewalled, or not listening on the expected port
Unlike 522 (connection timed out), 521 means the connection was immediately rejected

Common Causes

Origin web server (Nginx, Apache) is stopped or crashed
Firewall on the origin server blocking Cloudflare IP ranges
Origin server listening on wrong port (e.g., only 8080 instead of 443)
Hosting provider suspended the account or server

Steps

1Verify the origin web server is running: systemctl status nginx or systemctl status apache2
2Whitelist all Cloudflare IP ranges in your server firewall (cloudflare.com/ips)
3Confirm the server is listening on port 443 (HTTPS) or 80 (HTTP): ss -tlnp | grep ':443'
4Check hosting provider dashboard for any account suspensions or resource limits
5Temporarily pause Cloudflare proxy (grey cloud) to test direct connection to origin

More in 5xx Server Error

http-500-internal-server-errorHTTP 500 Internal Server Error — What It Means & How to Fix It

Critical

http-501-not-implementedHTTP 501 Not Implemented — What It Means & How to Fix It

Critical

http-502-bad-gatewayHTTP 502 Bad Gateway — What It Means & How to Fix It

Critical

http-503-service-unavailableHTTP 503 Service Unavailable — What It Means & How to Fix It

Critical

http-504-gateway-timeoutHTTP 504 Gateway Timeout — What It Means & How to Fix It

Critical

http-505-http-version-not-supportedHTTP 505 HTTP Version Not Supported — What It Means & How to Fix It

Critical

Frequently Asked Questions

HTTP 521 is not an official HTTP status code. It is specific to Cloudflare's proxy infrastructure, indicating their edge servers cannot connect to your origin server.

HTTP 521 Web Server Is Down — Cloudflare Origin Server Unreachable

Overview

Key Details

Common Causes

Steps

Tags

More in 5xx Server Error

Frequently Asked Questions