HTTP 521 Web Server Is Down — Cloudflare Origin Server Unreachable
About HTTP 521 Web Server Is Down
Fix Cloudflare HTTP 521 error when the origin web server refuses or is unable to accept connections from Cloudflare's proxy. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: HTTP 521 is a Cloudflare-specific error indicating the origin server actively refused the connection. Cloudflare acts as a reverse proxy and must connect to your origin server to serve content. This error means Cloudflare cannot reach your web server at all — not even a timeout, but a direct refusal. The origin server may be down, firewalled, or not listening on the expected port. Unlike 522 (connection timed out), 521 means the connection was immediately rejected. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Origin web server (Nginx, Apache) is stopped or crashed. Firewall on the origin server blocking Cloudflare IP ranges. Origin server listening on wrong port (e.g., only 8080 instead of 443). Hosting provider suspended the account or server. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Verify the origin web server is running: systemctl status nginx or systemctl status apache2. Whitelist all Cloudflare IP ranges in your server firewall (cloudflare.com/ips). Confirm the server is listening on port 443 (HTTPS) or 80 (HTTP): ss -tlnp | grep ':443'. Check hosting provider dashboard for any account suspensions or resource limits. Temporarily pause Cloudflare proxy (grey cloud) to test direct connection to origin. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why does 521 only appear with Cloudflare?
HTTP 521 is not an official HTTP status code. It is specific to Cloudflare's proxy infrastructure, indicating their edge servers cannot connect to your origin server.
Overview
Fix Cloudflare HTTP 521 error when the origin web server refuses or is unable to accept connections from Cloudflare's proxy.
Key Details
- HTTP 521 is a Cloudflare-specific error indicating the origin server actively refused the connection
- Cloudflare acts as a reverse proxy and must connect to your origin server to serve content
- This error means Cloudflare cannot reach your web server at all — not even a timeout, but a direct refusal
- The origin server may be down, firewalled, or not listening on the expected port
- Unlike 522 (connection timed out), 521 means the connection was immediately rejected
Common Causes
- Origin web server (Nginx, Apache) is stopped or crashed
- Firewall on the origin server blocking Cloudflare IP ranges
- Origin server listening on wrong port (e.g., only 8080 instead of 443)
- Hosting provider suspended the account or server
Steps
- 1Verify the origin web server is running: systemctl status nginx or systemctl status apache2
- 2Whitelist all Cloudflare IP ranges in your server firewall (cloudflare.com/ips)
- 3Confirm the server is listening on port 443 (HTTPS) or 80 (HTTP): ss -tlnp | grep ':443'
- 4Check hosting provider dashboard for any account suspensions or resource limits
- 5Temporarily pause Cloudflare proxy (grey cloud) to test direct connection to origin