The Ultimate Guide to Fixing Cloudflare Error 521: Web Server Is Down

If you manage a website, seeing a “Web Server is Down” error is enough to make your heart skip a beat. Your site is returning a “521 Web Server Is Down” message to every visitor. Cloudflare connected to your server’s IP successfully, but nothing answered back on port 80 (HTTP) or 443 (HTTPS).

In short: The web server process isn’t running, or it’s actively refusing the connection. Unlike broader 5xx errors, Cloudflare error 521 is highly specific. The network path works, and the physical (or virtual) machine is reachable, but the web server software itself is the bottleneck.

Here is a comprehensive guide from Hollands Web on exactly what is happening under the hood and how you can fix it immediately.

What Is Cloudflare Error 521?

When you use Cloudflare, it acts as a reverse proxy. This means visitor traffic goes to Cloudflare’s global network first, and then Cloudflare forwards that traffic to your origin server.

Error 521 means Cloudflare reached your origin server’s IP address, but your web server software (like Apache, Nginx, or LiteSpeed) refused the connection. The problem is not Cloudflare’s infrastructure; the issue lies squarely at the application level on your origin server.

4 Primary Causes of Error 521

Almost every 521 case can be traced back to one of these four root causes:

1. Origin Server Process is Offline: The most straightforward cause. Your server machine might be turned on, but the web server process (Apache/Nginx) has crashed, stopped, or is caught in a reboot loop.
2. Firewall Blocking Cloudflare IPs: Cloudflare acts as a proxy, meaning all incoming traffic to your server comes from Cloudflare’s IP addresses. If your OS-level firewall (like UFW or iptables) or a security plugin restricts these IPs, the connection is instantly dropped.
3. SSL/TLS Encryption Misconfiguration: A mismatch between the Cloudflare SSL/TLS encryption mode and what your origin server actually supports. This usually causes connection refusals right at the TLS handshake stage.
4. Server Resource Overload (CPU/RAM): Under extreme load (due to traffic spikes, bad bots, or poorly optimized queries), the web server process may technically be running but lacks the resources to accept new connections. The OS’s Out-Of-Memory (OOM) killer might even be terminating child processes.

How to Fix Cloudflare Error 521 (Step-by-Step)

Follow these five steps in order. They are organized by how often they actually resolve the problem.

Step 1: Check If Your Web Server Process Is Running

First, SSH into your server and check the status of your web service.

For Nginx:

sudo systemctl status nginx

For Apache (Ubuntu/Debian):

sudo systemctl status apache2

If the status shows as inactive (dead) or failed, attempt to restart it (sudo systemctl restart nginx). If it fails to start, check your error logs to find out why:

• Nginx: tail -f /var/log/nginx/error.log
• Apache: tail -f /var/log/apache2/error.log

Step 2: Whitelist Cloudflare IP Ranges

If the service is running, your firewall is likely blocking Cloudflare. You need to explicitly allow Cloudflare’s IP ranges on ports 80 and 443.

Here is a quick bash loop you can use if you are running UFW (Uncomplicated Firewall):

for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
sudo ufw allow from $ip to any port 443
sudo ufw allow from $ip to any port 80
done
sudo ufw reload

Note: Always verify the official IP list directly at cloudflare.com/ips.

Step 3: Correct Your SSL/TLS Encryption Settings

Open your Cloudflare dashboard, navigate to SSL/TLS, and check your current mode. A mismatch here is a massive driver for 521 errors, especially after an origin certificate expires.

If you are set to Full (Strict) but your origin certificate recently expired, drop the setting to Full temporarily to restore your site while you renew the certificate.

Step 4: Inspect Server Resource Usage

If connections are still refused, your server might be choking. Use terminal tools like top or htop to view real-time resource consumption. Look for processes eating up 100% of your CPU or exhausting your RAM. Restarting the bloated process (e.g., PHP-FPM or MySQL) can clear the bottleneck and restore web server connectivity.

Step 5: Disable Cloudflare Temporarily (Development Mode)

If you are still stuck, use Cloudflare’s “Pause Cloudflare on Site” feature located in the Overview dashboard. This bypasses Cloudflare entirely and routes traffic directly to your origin server via DNS. While not a permanent fix, it removes the proxy layer, allowing you to troubleshoot the raw server response without caching interference.

How to Fix Error 521 on WordPress Sites

If you are running WordPress, a 521 error often stems from application-layer plugins rather than server-level issues.

• Deactivate Conflicting Performance Plugins: Caching plugins (like WP Rocket or W3 Total Cache) can sometimes alter .htaccess or Nginx config files in ways that break proxy connections. Deactivate all plugins via FTP/SSH (rename the /wp-content/plugins/ folder) and see if the error clears.
• Review Security Plugin Firewalls: Plugins like Wordfence or iThemes Security operate their own firewalls. If they detect unusual traffic patterns from Cloudflare IPs (which happens because all your traffic shares Cloudflare’s IPs), they might block them. Explicitly whitelist Cloudflare’s IP ranges inside your security plugin’s settings.

Preventing Error 521 from Recurring

Don’t wait for your users to report downtime. Proactive management is key:

1. Set Up Deep Uptime Monitoring: Don’t just ping your server’s IP. Use tools like UptimeRobot to monitor HTTP status codes (looking for 200 OK) and set up a port-level TCP check on port 443.
2. Automate IP Allowlist Updates: Cloudflare occasionally updates its IP ranges. Write a simple Cron Job script that fetches the latest IPs from Cloudflare’s API and automatically updates your iptables or ufw rules weekly so you are never caught off guard.

Cloudflare Error 521 vs. Other 5xx Errors

Understanding the difference between 500-level errors saves hours of debugging time:

FAQs

1. What does Cloudflare Error 521 mean? Cloudflare error 521 means your origin web server process is not accepting connections on port 80 or 443. Cloudflare successfully reached your server’s IP, but the server software actively refused the connection.
2. Is Error 521 a Cloudflare or server issue? It is strictly a server-side issue. A 521 error confirms that Cloudflare’s edge network is working perfectly, but your origin server is blocking or rejecting the incoming requests.
3. How do I fix error 521 fast? Start by verifying that your web server process (Apache/Nginx) is running. Then, whitelist Cloudflare’s IP ranges in your server’s firewall, and ensure your Cloudflare SSL/TLS mode matches your origin server’s certificate setup.
4. Why does error 521 happen even if my server is online? Your server machine might be powered on, but the specific software handling web traffic (like Nginx or Apache) might have crashed, run out of memory, or a firewall might be blocking Cloudflare’s proxy IP addresses.
5. What is the difference between Error 521 and Error 522? Error 521 occurs when your server actively refuses the connection from Cloudflare. Error 522 happens when the connection times out because the server is completely unreachable or not responding at all.