Community Tip - Fixing Error 521: Web server is down

Try the suggestions in this Community Tip to help you fix Error 521: Web server is down.

A 521 error happens when we are unable to make a TCP connection to your origin server. Specifically, Cloudflare tried to connect to your origin server on port 80 or 443, but received a connection refused error. This is often caused by security or firewall software and happens if the origin server has directly refused Cloudflare’s proxy request.

Banner in tip catalog

Quick Fix Ideas

  1. Check your origin web server. The origin web server might not be running; in that case you should: a) Ensure your web server is running normally and b) Review the server’s error logs to see what is causing the error. If you’re unable to perform these tasks, contact your hosting provider.

  2. If you have just moved to Cloudflare and you are seeing a 521 over HTTPS, it is possible that your origin server has not been configured to allow port 443 be accessed by Cloudflare IPs. In this case you should configure your server/firewall to being listening on port 443 and allow us to be able to conect. If this is not possible, you can move to using ‘Flexible’ SSL under the SSL/TLS app on the dashboard.

  3. Make sure that you’re not blocking Cloudflare IPs in .htaccess, iptables , or your firewall.

  4. Make sure your hosting provider isn’t rate limiting or blocking IP requests from the Cloudflare IPs and ask them to whitelist the IP addresses IP Ranges.

  5. Make sure that you’re operating off of the most recent versions of Bad Behavior or mod_security. mod_security’s core rules aren’t blocking Cloudflare requests.

  6. If you are running custom Apache modules, such as mod_antiloris and mod_reqtimeout, disable and unload the modules. These modules will block any time an IP that connects more than 22 times. Since all connections are now coming from a Cloudflare IP, you will definitely hit the limit causing the error page. As soon as you unload the module, the issue will disappear.

  7. If your firewall is configured to DROP packets rather than refuse connections, it will cause a 521; meaning an incorrectly configured firewall can actually masquerade as a connection timeout 522 error.

  8. If you’re 521 errors when using Workers to load Javascript on a site, note that Workers subrequest can override the DNS origin address by making subrequest to external site. Check the script to confirm you’re testing the correct origin server.

  9. If you see the error railgun.wan_error connection failed it indicates you have a faulty Railgun configuration, disable Railgun and visit your site.

Lite Reading

Background Resources
Help Center

Research The Issue

If You Need More Help
This community of other Cloudflare users may be able to assist you, login to Cloudflare and post your question to the Community. When you post on the Community make sure to include as much of this information as possible: the specific error message you are seeing, the URLs this is happening on, screen shot of the error, and the steps to reproduce the error. Please indicate what troubleshooting steps you’ve tried in order to help us help you.

This is a Cloudflare Community Tip, to review other tips click here.

Çevirmek…traduzir…翻译…traducir…Traduire…Übersetzen…:greyg: Translate this Tip

FXCTWS 101119