Web Server Is Down Error Code 521 Cloudflare — 10 Proven Fixes

Your website is live. Your Cloudflare dashboard shows everything green. And then your inbox fills up with messages: “Your site is down.”

You visit it yourself and see the dreaded screen:

“Error 521 — Web Server Is Down”

It’s one of the most stressful error messages a website owner can encounter — and one of the most misunderstood. Because here’s the thing: Cloudflare itself is working perfectly. Your domain is resolving. The CDN is responding. But your actual website is completely unreachable.

If you’re facing the web server is down error code 521 Cloudflare message, you’re dealing with a communication breakdown between Cloudflare’s network and your origin server. The good news? This error is almost always fixable — and most causes come down to just a handful of well-documented issues. If you’re setting up or managing a site, it’s important to understand how to deploy a website for free before troubleshooting server-side errors like this.

In this complete guide, you’ll learn exactly what Cloudflare error 521 means, every documented cause behind it, and 10 proven fixes that resolve it — whether you’re running Apache, Nginx, WordPress, or a custom application stack.

No guesswork. No generic advice. Real, actionable solutions for website owners and developers.

Let’s get your site back online.

What Is Cloudflare Error Code 521?

Cloudflare error code 521 is a connection refused error at the origin server level. It means Cloudflare successfully received a visitor’s request, attempted to forward it to your web server, and your server actively refused the connection or failed to respond.

The official Cloudflare description is:

“Error 521: Web Server Is Down — The origin web server refused connections from Cloudflare.”

This is a critical distinction from other errors. Error 521 is not:

• A DNS failure
• A Cloudflare infrastructure problem
• A visitor’s browser issue
• A network routing problem between the visitor and Cloudflare

Error 521 specifically means the problem exists between Cloudflare’s edge network and your origin server. Cloudflare reached your server’s IP address, but your server refused or dropped the connection before any HTTP response could be sent.

From an HTTP protocol perspective, this is a TCP connection refusal — meaning your server’s operating system or firewall sent a RST (reset) packet back to Cloudflare, actively rejecting the connection attempt rather than simply not responding (which would produce a 522 timeout error instead).

How Cloudflare’s Proxy Architecture Works

To understand error 521 properly, you need a clear picture of how Cloudflare operates in the connection chain.

When a visitor navigates to your website through Cloudflare’s proxy:

1. The visitor’s browser sends a DNS request, which resolves to Cloudflare’s edge IP, not your server’s IP
2. Cloudflare’s edge server receives the HTTP/HTTPS request
3. Cloudflare forwards the request to your origin server using your server’s actual IP address
4. Your origin server processes the request and sends a response back to Cloudflare
5. Cloudflare delivers the response to the visitor

Error 521 occurs at step 3. Cloudflare attempts to open a TCP connection to your origin server on port 80 (HTTP) or port 443 (HTTPS), and your server refuses or drops it.

This architecture is important because it means your server never sees the visitor’s real IP — it sees Cloudflare’s IP addresses. If your server’s firewall doesn’t recognize Cloudflare’s IPs as legitimate, it blocks them — producing exactly the connection refused behavior that generates error 521.

This is why whitelisting Cloudflare’s IP ranges (Fix 2) is one of the most common and effective solutions.

What Causes the “Web Server Is Down” Error Code 521?

Let’s be specific. Here are all the documented root causes of Cloudflare error 521:

Origin Server Causes:

• Web server software (Apache, Nginx, LiteSpeed) has crashed or stopped running
• The web server process ran out of memory and was killed by the OS
• The server ran out of disk space, causing the web server process to fail
• The server is under resource overload and can no longer accept new connections
• Web server is bound to localhost (127.0.0.1) only, not the public IP

Firewall and Security Causes:

• Server firewall (iptables, UFW, CSF, Fail2Ban) blocking Cloudflare’s IP addresses
• Hosting provider’s edge firewall is blocking traffic from Cloudflare’s IP ranges
• Cloudflare IPs are being blacklisted by automated security rules
• DDoS protection tools are blocking Cloudflare connection patterns

Configuration Causes:

• Web server not listening on the correct port (80 or 443)
• SSL/TLS certificate mismatch causing HTTPS connection refusal
• Web server misconfiguration after a recent update or change
• .htaccess rules or server-level blocks refusing Cloudflare IPs
• Virtual host configuration errors are preventing the server from responding

Resource and Infrastructure Causes:

• The shared hosting server is being overloaded by other users
• VPS running out of allocated memory or CPU
• Disk quota exceeded, causing server processes to terminate
• Server under an active DDoS attack, consuming all available connections

Now let’s fix each one.

Who Sees Error 521 — Visitors or Website Owners?

Both — but differently.

Visitors see the full Cloudflare 521 error page, which is served directly by Cloudflare since your origin server isn’t responding. The page shows the Cloudflare branding and the “Web Server Is Down” message. Visitors have no fix available to them — this is entirely a server-side issue.

Website owners and developers see the error when visiting their own site, plus they should be monitoring for it through Cloudflare’s analytics dashboard, uptime monitoring tools, and server logs.

Important for website owners: Error 521 will show even if your server is online but only blocking Cloudflare specifically. This means your website might appear to work if you access it directly via the IP address (bypassing Cloudflare) while still showing error 521 to all visitors going through the Cloudflare proxy. This is a key diagnostic insight we’ll use in Fix 7.

Fix 1: Check If Your Origin Web Server Is Running

The most obvious cause — and the first thing to check — is whether your web server software is actually running.

Apache, Nginx, LiteSpeed, or whatever web server you’re using can crash, be stopped by an automated process, run out of resources, or be killed by the server’s out-of-memory (OOM) manager. When the server process stops, all incoming connections are refused, producing error 521 immediately.

Check web server status via SSH:

For Apache:

sudo systemctl status apache2

or

sudo service apache2 status

For Nginx:

sudo systemctl status nginx

For LiteSpeed:

sudo systemctl status lsws

If the service shows “inactive” or “failed”:

Restart it:

sudo systemctl restart apache2

sudo systemctl restart nginx

Check why it crashed:

sudo journalctl -xe –unit=apache2

sudo journalctl -xe –unit=nginx

Review the last 50 lines of your web server error log:

For Apache: /var/log/apache2/error.log For Nginx: /var/log/nginx/error.log

Common reasons a web server stops:

• Out of memory — server killed the process to free resources
• Disk space full — check with df -h
• Configuration error after a recent change — check with apache2 -t or nginx -t
• The runaway PHP process is consuming all server resources

If your web server was simply stopped or crashed, restarting it immediately resolves error 521. But investigate why it crashed to prevent recurrence.

Fix 2: Whitelist Cloudflare IP Ranges on Your Server Firewall

This is the most common cause of Cloudflare error 521 that isn’t immediately obvious — and it’s the fix that resolves a huge proportion of cases where the web server is actually running fine.

When Cloudflare connects to your origin server, it does so from Cloudflare’s own IP addresses — not from the visitor’s IP. If your server’s firewall has rules that block unknown or unrecognized IPs, or if Fail2Ban has automatically blocked Cloudflare IPs due to high request volume, those connections are refused, and error 521 appears for every visitor. Many website owners also compare platforms when handling server-side issues—see our Wix vs Squarespace vs WordPress comparison to understand how different systems manage hosting and security

Cloudflare’s current IPv4 ranges (as of 2024):

103.21.244.0/22

103.22.200.0/22

103.31.4.0/22

104.16.0.0/13

104.24.0.0/14

108.162.192.0/18

131.0.72.0/22

141.101.64.0/18

162.158.0.0/15

172.64.0.0/13

173.245.48.0/20

188.114.96.0/20

190.93.240.0/20

197.234.240.0/22

198.41.128.0/17

Cloudflare’s current IPv6 ranges:

2400:cb00::/32

2606:4700::/32

2803:f800::/32

2405:b500::/32

2405:8100::/32

2a06:98c0::/29

2c0f:f248::/32

Always get the most current list from Cloudflare’s official IP ranges page at cloudflare.com/ips — these ranges are updated periodically.

Whitelist Cloudflare IPs using UFW (Ubuntu/Debian):

for ip in $(curl -s https://www.cloudflare.com/ips-v4); do

  ufw allow from $ip to any port 80,443

done

for ip in $(curl -s https://www.cloudflare.com/ips-v6); do

  ufw allow from $ip to any port 80,443

done

ufw reload

Whitelist using iptables:

for ip in $(curl -s https://www.cloudflare.com/ips-v4); do

  iptables -I INPUT -p tcp -s $ip –dport 80 -j ACCEPT

  iptables -I INPUT -p tcp -s $ip –dport 443 -j ACCEPT

done

Check Fail2Ban jails for Cloudflare IPs:

sudo fail2ban-client status

sudo fail2ban-client set <jailname> unbanip <cloudflare-ip>

To prevent Fail2Ban from banning Cloudflare IPs in the future, add Cloudflare’s ranges to your /etc/fail2ban/jail.local under ignoreip.

For cPanel/WHM servers: Log into WHM > ConfigServer Security & Firewall (CSF) > add Cloudflare IP ranges to the whitelist file at /etc/csf/csf.allow.

Fix 3: Check Your Web Server Configuration

Even when your web server is running, a misconfiguration can cause it to refuse connections from Cloudflare. This is particularly common after server updates, control panel changes, or manual configuration edits.

Common Apache misconfiguration causes:

Server bound to wrong IP: Check your Apache configuration for binding settings:

grep -r “Listen” /etc/apache2/

If you see Listen 127.0.0.1:80 — Apache is only listening on localhost and refusing external connections. Change it to:

Listen 80

Listen 443

Virtual host not configured for your domain:

apache2ctl -S

This shows all configured virtual hosts. If your domain isn’t listed, the server doesn’t know how to handle requests for it and may refuse them.

Common Nginx misconfiguration causes:

Server block binding issue: Check your server block for:

server {

    listen 127.0.0.1:80;  # Wrong — change to:

    listen 80;             # Correct

}

Test your configuration for syntax errors:

# Apache

apache2ctl configtest

# or

apachectl -t

# Nginx

nginx -t

Fix any reported errors, then reload the service:

sudo systemctl reload apache2

sudo systemctl reload nginx

Configuration errors that prevent proper startup are a common post-update cause of error 521 that server logs reveal clearly.

Fix 4: Verify the Correct Port Is Open and Listening

Cloudflare connects to your origin server on port 80 for HTTP and port 443 for HTTPS. If your server isn’t actively listening on these ports — or if those ports are blocked — every Cloudflare connection is refused.

Check which ports your server is listening on:

sudo netstat -tlnp

# or on newer systems:

sudo ss -tlnp

Look for entries showing your web server process (apache2, nginx, httpd) listening on ports 80 and 443. If they’re missing, your web server isn’t bound to those ports correctly.

Check if ports 80 and 443 are open in your firewall:

Using UFW:

sudo ufw status

Look for rules allowing port 80 and 443. If absent:

sudo ufw allow 80/tcp

sudo ufw allow 443/tcp

sudo ufw reload

Using iptables:

sudo iptables -L -n | grep -E “80|443.”

Test port connectivity from outside your server: Use an online port checker tool (search “open port checker”) and enter your server’s IP with ports 80 and 443. If either shows as closed, you’ve found your error 521 cause.

Note on Cloudflare’s supported ports: Cloudflare’s reverse proxy supports specific HTTP and HTTPS ports. If your origin runs on a non-standard port, Cloudflare won’t connect to it by default unless you configure Cloudflare to use that port, which requires a Cloudflare Enterprise plan for arbitrary ports. Standard Cloudflare plans proxy HTTP ports 80, 8080, 8880, 2052, 2082, 2086, 2095, and HTTPS ports 443, 2053, 2083, 2087, 2096, 8443.

Fix 5: Review Your Hosting Provider’s Firewall and Security Rules

Beyond your server’s local firewall, your hosting provider may operate its own network-level firewall, DDoS protection system, or IP reputation filter that blocks Cloudflare’s connection attempts before they even reach your server.

This is especially common with:

• Shared hosting providers that implement aggressive server-wide firewall rules
• Cloud hosting platforms (AWS, GCP, Azure, DigitalOcean, Linode) with security group configurations
• VPS providers that enable default firewall rules during provisioning
• Managed WordPress hosts with their own WAF and IP filtering

Cloud platform security groups:

For AWS EC2, check your Security Group inbound rules:

1. Open the AWS console > EC2 > Security Groups
2. Select your instance’s security group
3. Check inbound rules for ports 80 and 443
4. Ensure the source is set to 0.0.0.0/0 (all traffic) or specifically to Cloudflare’s IP ranges
5. Add rules if missing

For DigitalOcean, check Firewall settings:

1. Networking > Firewalls
2. Verify inbound rules allow TCP on ports 80 and 443 from all sources

For Google Cloud Platform:

1. VPC Network > Firewall
2. Verify rules allow ingress on ports 80 and 443

Contact your hosting provider: If you’re on shared or managed hosting and can’t access firewall settings directly, contact your host’s support team. Explain that Cloudflare’s proxy IPs are being blocked and provide Cloudflare’s IP ranges. Many managed hosts have a process for whitelisting CDN providers.

Fix 6: Check SSL/TLS Certificate Configuration

SSL/TLS misconfigurations are a significant and often overlooked cause of Cloudflare error 521 — particularly when your Cloudflare SSL/TLS mode is set to Full or Full (Strict), but your origin server’s SSL certificate is expired, missing, self-signed incorrectly, or not installed at all.

When Cloudflare attempts to connect to your origin on port 443 with HTTPS and the SSL handshake fails, the connection is dropped — producing error 521.

Check your Cloudflare SSL/TLS settings:

1. Log in to the Cloudflare dashboard
2. Select your domain
3. Go to SSL/TLS > Overview
4. Note your current encryption mode

SSL/TLS mode guide:

• Off — Cloudflare connects to your origin via HTTP on port 80 only. No SSL needed on origin.
• Flexible — Cloudflare connects to the origin via HTTP. Your origin doesn’t need SSL. (Not recommended for production)
• Full — Cloudflare connects via HTTPS but doesn’t validate your certificate. Self-signed certs work.
• Full (Strict) — Cloudflare connects via HTTPS and validates the certificate. Requires a valid, trusted, non-expired certificate.

Quick diagnostic fix: Temporarily switch your SSL/TLS mode to Flexible in the Cloudflare dashboard. If error 521 disappears, your origin SSL configuration is the problem.

Permanent SSL fixes:

If you need Full or Full (Strict) mode:

1. Install a valid SSL certificate on your origin server
2. Use Cloudflare Origin Certificate — a free certificate issued by Cloudflare specifically for origin servers, available in your Cloudflare dashboard under SSL/TLS > Origin Server
3. Ensure the certificate covers your domain correctly
4. Verify certificate expiry — an expired cert causes connection refusal

Check certificate installation:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Review the output for certificate validity, expiry, and chain completeness.

Fix 7: Temporarily Bypass Cloudflare to Diagnose the Origin

This fix is actually a diagnostic technique that definitively tells you whether your origin server is the problem or whether Cloudflare’s routing is involved.

By bypassing Cloudflare’s proxy and connecting directly to your origin server, you can determine:

• Whether your server responds correctly when accessed directly
• Whether the issue is specific to Cloudflare’s connection to your server
• Whether your server is actually online despite showing error 521

Method 1 — Use your server’s direct IP:

1. Find your origin server’s IP address (in your hosting control panel or DNS settings)
2. Open a browser or use curl:

curl -I http://YOUR-SERVER-IP

curl -I https://YOUR-SERVER-IP –insecure

3. If you get a response (any HTTP status code), your server is running
4. If the connection is refused, your server or local firewall is the problem

Method 2 — Pause Cloudflare proxy (DNS-only mode):

1. Log in to the Cloudflare dashboard
2. Go to DNS > Records
3. Find your A record and click the orange cloud icon to turn it gray (DNS-only mode)
4. Wait 2–5 minutes for DNS propagation
5. Visit your website — it now connects directly to your origin
6. If the site loads, Cloudflare’s connection to your origin is being blocked (fix: whitelist Cloudflare IPs)
7. If the site still shows an error, your origin server is genuinely down
8. Remember to re-enable the orange cloud proxy after testing

This bypass technique is the fastest way to separate Cloudflare-specific blocking from genuine server downtime — two scenarios that look identical to visitors but require completely different fixes.

Fix 8: Review Cloudflare Firewall Rules and IP Access Rules

This fix addresses a less common but very real scenario: your own Cloudflare configuration blocking the connection.

Cloudflare allows you to create firewall rules, IP access rules, and WAF policies. In rare cases — particularly after copying rules from another domain or implementing aggressive security policies — these rules can interfere with how Cloudflare communicates with your origin or how it routes traffic, contributing to error 521 conditions.

Review Cloudflare Firewall Rules:

1. Log in to the Cloudflare dashboard
2. Go to Security > WAF > Firewall Rules (or Custom Rules in newer interface)
3. Look for rules that might be blocking all traffic, specific geographic regions, or large IP ranges
4. Temporarily disable rules one at a time to test
5. Also, check Security > WAF > Tools > IP Access Rules for any blocking rules

Check Cloudflare Page Rules:

1. Go to Rules > Page Rules
2. Look for any rules affecting your domain root or primary pages
3. Disable temporarily to test if they contribute to the issue

Review Cloudflare’s Health Checks (Enterprise): If you’re on an Enterprise plan, check Load Balancer health check configurations — misconfigured health checks can cause Cloudflare to mark your origin as unhealthy and stop routing traffic to it.

Rate Limiting Rules: If you have very aggressive rate-limiting rules configured in Cloudflare, they can sometimes interfere with connection establishment. Review under Security > WAF > Rate Limiting Rules.

Fix 9: Check Server Resource Limits and Overload

Your web server might be running, but completely overwhelmed. When server resources are maxed out, the web server can no longer accept new connections, causing them to be refused. This produces error 521 even though the server process is technically active.

Diagnose server resource usage via SSH:

CPU usage:

top

# or more readable:

htop

Look for CPU usage consistently at 100% — a sign of a runaway process consuming all available CPU.

Memory usage:

free -h

If available memory shows near zero, the system may be OOM-killing processes, including your web server.

Disk space:

df -h

A full disk (100% usage) on your root or web directory partition will cause web server failures. Clear logs, temporary files, or expand disk space. To monitor and manage server performance more efficiently, developers often use the best automation tools for developers.

Active connections:

# Apache

apache2ctl fullstatus | grep “Total accesses.”

# or check MaxRequestWorkers limit:

grep -i maxrequestworkers /etc/apache2/mods-enabled/mpm_prefork.conf

# Nginx

nginx -V 2>&1 | grep worker_processes

If your server is at its connection limit, consider:

• Increasing MaxRequestWorkers (Apache) or worker_connections (Nginx)
• Upgrading your hosting plan for more resources
• Implementing Cloudflare’s caching more aggressively to reduce origin server load
• Optimizing your application to reduce server resource consumption

Check for processes consuming excessive resources:

ps aux –sort=-%cpu | head -20

ps aux –sort=-%mem | head -20

Kill any runaway processes and investigate their root cause to prevent recurrence.

Fix 10: Use Cloudflare Tunnel as a Permanent Solution

If you’re dealing with persistent error 521 issues — particularly due to firewall complexity, NAT configurations, or hosting environments where opening ports is difficult — Cloudflare Tunnel (formerly Argo Tunnel) provides a permanent architectural solution.

Instead of Cloudflare connecting inbound to your server (which can be blocked by firewalls), Cloudflare Tunnel creates an outbound encrypted connection from your server to Cloudflare’s network. Your server reaches out to Cloudflare — not the other way around — eliminating the entire category of firewall-blocking issues that cause error 521.

How Cloudflare Tunnel eliminates error 521:

• Your server establishes the connection to Cloudflare, not the reverse
• No inbound ports need to be open on your server
• Cloudflare IPs don’t need to be whitelisted — the connection originates from your server
• Works even in highly restricted network environments

Setting up Cloudflare Tunnel:

1. Install CloudFlare on your server:

# For Ubuntu/Debian:

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

sudo dpkg -i cloudflared-linux-amd64.deb

2. Authenticate with your Cloudflare account:

cloudflared tunnel login

3. Create a tunnel:

cloudflared tunnel create my-website-tunnel

4. Configure the tunnel to point to your local web server:

# Create config file at ~/.cloudflared/config.yml:

tunnel: <your-tunnel-id>

credentials-file: /root/.cloudflared/<tunnel-id>.json

ingress:

  – hostname: yourdomain.com

    service: http://localhost:80

  – service: http_status:404

5. Run the tunnel as a system service:

Cloudflared service install

systemctl start cloudflared

6. Route your Cloudflare DNS to the tunnel via the dashboard

Cloudflare Tunnel is available on the free Cloudflare plan and is particularly valuable for home servers, self-hosted applications, and environments where traditional port forwarding or firewall management is impractical.

How to Diagnose Error 521 With Logs and Tools

Beyond the fixes above, these diagnostic tools help you identify error 521 causes precisely:

Reading Your Web Server Error Logs

Apache error log:

sudo tail -100 /var/log/apache2/error.log

Nginx error log:

sudo tail -100 /var/log/nginx/error.log

Look for entries timestamped around when error 521 occurred. Common patterns:

• [error] accept4() failed — server exhausted connections
• [crit] (28)No space left on device — disk full
• AH00053: child process just exited — process crashes

Cloudflare Analytics

In your Cloudflare dashboard:

1. Go to Analytics & Logs > Traffic
2. Look for spikes in 521 error responses
3. Check timing — did errors start after a specific event?
4. Review which URLs trigger 521 most frequently

Using curl for Connection Testing

# Test HTTP connection to your origin IP:

curl -v -H “Host: yourdomain.com” http://YOUR-SERVER-IP/

# Test HTTPS:

curl -v -H “Host: yourdomain.com” https://YOUR-SERVER-IP/ –insecure

# Test with Cloudflare-like headers:

curl -v -H “Host: yourdomain.com” -H “CF-Connecting-IP: 1.2.3.4” http://YOUR-SERVER-IP/

A curl: (7) Failed to connect to host port 80: Connection refused response confirms the connection refusal that causes error 521.

Error 521 vs Other Cloudflare 5xx Errors — Key Differences

Understanding how error 521 differs from similar Cloudflare errors helps you diagnose faster:

Error 521 specifically means active refusal — the server’s TCP stack responded with a connection reset. This is distinct from being unreachable (523) or slow (522, 524), which points directly to firewall blocking or web server process failure as the cause.

Quick Reference Fix Table

Final Thoughts

The web server is down, error code 521 Cloudflare is one of the most immediately impactful errors a website owner can face — but it’s almost always solvable with systematic troubleshooting.

The diagnostic path is clear: check if your server is running, confirm Cloudflare’s IPs aren’t being blocked, verify your SSL configuration matches your Cloudflare SSL mode, and use the bypass technique to definitively identify whether the problem is local to your server or specific to Cloudflare’s connection.

For most website owners, fixing error 521 comes down to two things: restarting a crashed web server or whitelisting Cloudflare’s IP ranges. For complex environments — cloud platforms, managed hosting, or high-security server configurations — the port verification, SSL review, and resource monitoring steps complete the picture.

And for those who want a permanent, architecture-level solution that makes error 521 structurally impossible, Cloudflare Tunnel is the answer.

Your website belongs online. Let’s keep it there.

Frequently Asked Questions