Status Code
521 Web Server Is Down
Cloudflare-specific status code indicating the origin server refused the connection. Learn about this proxy error and how to troubleshoot it.
TL;DR: Cloudflare can’t connect to your origin server because it’s down or refusing connections. Check if your server is running and whitelist Cloudflare IPs.
What is 521 Web Server Is Down?
A 521 Web Server Is Down is a Cloudflare-specific status code that means the origin server refused the connection from Cloudflare. Think of it like a delivery service trying to drop off a package, but the business is closed and won’t open the door—the middleman (Cloudflare) can’t complete the delivery because the destination won’t accept it.
This is not a standard HTTP status code but rather a custom error code used by Cloudflare’s proxy service to indicate connectivity issues with the origin server.
When Does This Happen?
You’ll see a 521 Web Server Is Down response in these common situations:
1. Origin Server Offline
Web server stopped or crashed
Cloudflare → Origin server (not responding) → 5212. Firewall Blocking Cloudflare
Origin firewall blocking Cloudflare IPs
Cloudflare request → Firewall blocks → 5213. Origin Server Overloaded
Server rejecting new connections
Cloudflare → Origin (too many connections) → 5214. Network Issue at Origin
Network configuration problem
Cloudflare → Network error → 5215. Wrong Origin Configuration
Cloudflare pointing to wrong IP/port
Cloudflare → Non-existent server → 521Example Responses
Basic 521 Error:
HTTP/1.1 521 Web Server Is Down
Server: cloudflare
CF-RAY: 8b2e5f3a1c9d4e7f-LAX
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head><title>521: Web server is down</title></head>
<body>
<h1>Web server is down</h1>
<p>The web server is not returning a connection. As a result, the web page is not displaying.</p>
<ul>
<li>If you are a visitor of this website: Please try again in a few minutes.</li>
<li>If you are the owner of this website: Contact your hosting provider to check your origin web server.</li>
</ul>
<p>Cloudflare Ray ID: 8b2e5f3a1c9d4e7f</p>
<p>Your IP: 203.0.113.42</p>
</body>
</html>
```text
**With Troubleshooting Info:**
```http
HTTP/1.1 521 Web Server Is Down
Server: cloudflare
CF-RAY: 8b2e5f3a1c9d4e7f-LAX
Content-Type: application/json
{
"error": "Web Server Is Down",
"code": 521,
"message": "The origin web server is not responding to requests from Cloudflare",
"details": {
"origin_ip": "192.0.2.1",
"connection_refused": true,
"cloudflare_datacenter": "LAX",
"ray_id": "8b2e5f3a1c9d4e7f",
"timestamp": "2026-01-18T14:30:00Z"
},
"troubleshooting": {
"for_visitors": [
"Wait a few minutes and try again",
"Check if other pages on this site work",
"Clear your browser cache",
"Try a different network"
],
"for_site_owners": [
"Check if origin server is running",
"Verify firewall allows Cloudflare IPs",
"Check server error logs",
"Verify DNS settings in Cloudflare dashboard",
"Contact hosting provider"
]
},
"resources": {
"support": "https://support.cloudflare.com/hc/articles/115003011431",
"status": "https://www.cloudflarestatus.com",
"community": "https://community.cloudflare.com"
}
}HTML Error Page:
HTTP/1.1 521 Web Server Is Down
Server: cloudflare
CF-RAY: 8b2e5f3a1c9d4e7f-LAX
Content-Type: text/html
<!DOCTYPE html>
<html>
<head>
<title>521: Web Server Is Down</title>
<style>
body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
h1 { color: #f48024; }
.error-code { font-size: 72px; font-weight: bold; color: #ccc; }
.info-box { background: #f5f5f5; padding: 15px; border-radius: 5px; margin: 20px 0; }
</style>
</head>
<body>
<div class="error-code">521</div>
<h1>Web Server Is Down</h1>
<p>The origin server refused connection from Cloudflare.</p>
<div class="info-box">
<h2>What happened?</h2>
<p>Cloudflare could not reach your origin server. This could be because:</p>
<ul>
<li>The origin server is offline or crashed</li>
<li>A firewall is blocking Cloudflare's requests</li>
<li>The server is overloaded and refusing connections</li>
<li>Network issues between Cloudflare and the origin</li>
</ul>
</div>
<div class="info-box">
<h2>What can I do?</h2>
<h3>If you're a visitor:</h3>
<p>This is a temporary issue. Please try again in a few minutes.</p>
<h3>If you're the site owner:</h3>
<ol>
<li>Check if your origin server is running</li>
<li>Verify your firewall allows Cloudflare IPs</li>
<li>Check your server's error logs</li>
<li>Review your DNS settings in Cloudflare</li>
<li>Contact your hosting provider</li>
</ol>
</div>
<p style="color: #999; font-size: 12px;">
Cloudflare Ray ID: 8b2e5f3a1c9d4e7f<br>
Your IP: 203.0.113.42<br>
Timestamp: 2026-01-18 14:30:00 UTC
</p>
</body>
</html>
```text
## Real-World Example
Imagine a website using Cloudflare as a CDN/proxy, but the origin server goes offline:
**User Request (Through Cloudflare):**
```http
GET /products/laptop HTTP/1.1
Host: shop.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xmlCloudflare Tries to Connect to Origin:
Cloudflare Edge Server (LAX) attempts connection to:
Origin Server: 192.0.2.1:443
Connection: REFUSED (server not accepting connections)521 Error Response to User:
HTTP/1.1 521 Web Server Is Down
Date: Sat, 18 Jan 2026 14:30:00 GMT
Content-Type: text/html; charset=UTF-8
Server: cloudflare
CF-RAY: 8b2e5f3a1c9d4e7f-LAX
CF-Cache-Status: DYNAMIC
<!DOCTYPE html>
<html>
<head><title>Web Server Is Down</title></head>
<body>
<h1>Error 521: Web server is down</h1>
<p>The web server at shop.example.com is not responding to connections from Cloudflare.</p>
<h2>What's happening?</h2>
<p>Cloudflare successfully connected to the internet and your domain, but the origin web server refused the connection. This typically indicates:</p>
<ul>
<li><strong>Server Offline:</strong> The web server software has stopped or crashed</li>
<li><strong>Network Issue:</strong> The origin server cannot be reached due to network problems</li>
<li><strong>Firewall Block:</strong> A firewall is blocking Cloudflare's requests</li>
<li><strong>Overloaded Server:</strong> The server is rejecting new connections</li>
</ul>
<h2>Resolution</h2>
<p><strong>Site visitors:</strong> Please wait a few minutes and try again.</p>
<p><strong>Site owner:</strong> Contact your hosting provider to check your origin web server's status and logs.</p>
<hr>
<p style="color: #666; font-size: 12px;">
Error reference: Cloudflare Ray ID: 8b2e5f3a1c9d4e7f<br>
Performance & security by Cloudflare
</p>
</body>
</html>
```text
## 521 vs Other Cloudflare Error Codes
| Code | Meaning | Origin Status | Connection |
| ------- | -------------------- | ------------------- | ------------------ |
| **521** | Web server is down | Refusing connection | Connection refused |
| **522** | Connection timed out | Not responding | Timeout |
| **523** | Origin unreachable | Not reachable | Cannot route |
| **524** | Timeout occurred | Slow response | Partial response |
| **520** | Unknown error | Various | Unknown issue |
## Important Characteristics
**Cloudflare-Specific:**
```text
- Not a standard HTTP status code
- Only appears when using Cloudflare
- Indicates proxy-to-origin connection issue
- Different from origin server's actual error
```text
**Connection Refused vs Timeout:**
```text
521 (Connection Refused):
- Server actively rejects connection
- Usually means server is down or firewall blocking
- Immediate response
522 (Connection Timeout):
- Server doesn't respond at all
- Could be network issue or extremely slow
- Takes time to timeout
```http
**Debugging Information:**
```http
CF-RAY: 8b2e5f3a1c9d4e7f-LAX ← Unique request ID
Server: cloudflare ← Served by Cloudflare
CF-Cache-Status: DYNAMIC ← Not cachedCommon Causes and Solutions
1. Origin Server Offline
# Check if web server is running
sudo systemctl status nginx
sudo systemctl status apache2
# Start web server if stopped
sudo systemctl start nginx
# Check if server is listening on correct port
sudo netstat -tlnp | grep :80
sudo netstat -tlnp | grep :443
```text
**2. Firewall Blocking Cloudflare**
```bash
# Allow Cloudflare IP ranges (example for iptables)
# Get latest IPs from: https://www.cloudflare.com/ips/
# IPv4
iptables -I INPUT -p tcp -m multiport --dports 80,443 -s 173.245.48.0/20 -j ACCEPT
iptables -I INPUT -p tcp -m multiport --dports 80,443 -s 103.21.244.0/22 -j ACCEPT
# ... (add all Cloudflare ranges)
# UFW example
ufw allow from 173.245.48.0/20 to any port 80
ufw allow from 173.245.48.0/20 to any port 4433. Wrong Origin Configuration
Check Cloudflare Dashboard:
1. DNS Settings → Verify A/AAAA records point to correct IP
2. SSL/TLS → Ensure SSL mode is compatible
3. Origin Server → Verify port and protocol4. Server Overloaded
# Check server load
uptime
top
# Check connection limits
cat /proc/sys/net/ipv4/tcp_max_syn_backlog
cat /proc/sys/net/core/somaxconn
# Increase if needed (Nginx example)
# In nginx.conf:
worker_connections 4096;
```text
**5. SSL/TLS Mismatch**
```text
Cloudflare SSL Modes:
- Off: No encryption (not recommended)
- Flexible: Cloudflare to user encrypted, Cloudflare to origin not encrypted
- Full: Encrypted end-to-end (self-signed OK)
- Full (Strict): Encrypted end-to-end (valid certificate required)
Common 521 cause: Mode set to Full but origin has no SSL
```javascript
## Best Practices for Site Owners
**Monitor Origin Server:**
```javascript
// Node.js monitoring script
const http = require('http')
function checkOriginServer() {
const options = {
hostname: 'your-origin-server.com',
port: 80,
path: '/health',
method: 'GET',
timeout: 5000
}
const req = http.request(options, (res) => {
if (res.statusCode === 200) {
console.log('Origin server is UP')
} else {
console.error(`Origin server returned ${res.statusCode}`)
// Alert admin
}
})
req.on('error', (error) => {
console.error('Origin server connection failed:', error.message)
// Send alert - potential 521 error for users
})
req.on('timeout', () => {
req.destroy()
console.error('Origin server timeout')
})
req.end()
}
// Check every 60 seconds
setInterval(checkOriginServer, 60000)Configure Cloudflare Properly:
1. Whitelist Cloudflare IPs in firewall
2. Set correct SSL/TLS mode
3. Configure appropriate timeouts
4. Set up health checks
5. Enable Always Online (serves cached version during outages)Implement Health Checks:
// Express.js health check endpoint
app.get('/health', (req, res) => {
// Check database connection
db.ping()
.then(() => {
res.status(200).json({
status: 'healthy',
timestamp: new Date().toISOString(),
uptime: process.uptime()
})
})
.catch(() => {
res.status(503).json({
status: 'unhealthy',
error: 'Database connection failed'
})
})
})
```text
**Enable Cloudflare's Always Online:**
```text
Dashboard → Caching → Configuration
- Enable "Always Online"
- Serves cached version when origin is down
- Reduces 521 errors for cached content
```text
## Troubleshooting Steps
**For Site Visitors:**
```text
1. Wait 5-10 minutes and try again
2. Try accessing different pages on the site
3. Clear browser cache and cookies
4. Try a different browser or device
5. Check if the site is down for everyone: downforeveryoneorjustme.com
6. Contact site owner if problem persists
```text
**For Site Owners:**
```text
1. Check if origin server is running:
- SSH into server
- Check web server status (nginx, apache, etc.)
- Review server resource usage (CPU, RAM, disk)
2. Check server logs:
- Web server error logs
- System logs
- Application logs
3. Verify Cloudflare settings:
- DNS records point to correct IP
- SSL/TLS mode matches origin configuration
- No IP blocking rules affecting Cloudflare
4. Check firewall:
- Ensure Cloudflare IPs are whitelisted
- Review recent firewall rule changes
- Check DDoS protection settings
5. Test direct connection:
- Try accessing origin server directly (bypass Cloudflare)
- Use curl or telnet to test connectivity
- Check if specific ports are blocked
6. Review recent changes:
- Recent deployments
- Configuration changes
- Server updates
```text
## Implementation Examples
**Custom 521 Error Page:**
```html
<!-- Create custom error page in Cloudflare -->
<!DOCTYPE html>
<html>
<head>
<title>Service Temporarily Unavailable</title>
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
margin: 0;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
}
.container {
text-align: center;
padding: 40px;
background: rgba(255, 255, 255, 0.1);
border-radius: 20px;
backdrop-filter: blur(10px);
}
h1 {
font-size: 3em;
margin: 0;
}
p {
font-size: 1.2em;
}
</style>
</head>
<body>
<div class="container">
<h1>⚠️ We'll Be Right Back</h1>
<p>Our servers are temporarily unavailable.</p>
<p>We're working to restore service as quickly as possible.</p>
<p>Please try again in a few minutes.</p>
</div>
</body>
</html>Origin Server Monitoring:
import requests
import time
from datetime import datetime
def check_origin_health():
origin_url = "https://your-origin-server.com/health"
try:
response = requests.get(origin_url, timeout=5)
if response.status_code == 200:
print(f"[{datetime.now()}] Origin server is healthy")
return True
else:
print(f"[{datetime.now()}] Origin returned {response.status_code}")
send_alert("Origin server unhealthy")
return False
except requests.exceptions.ConnectionError:
print(f"[{datetime.now()}] CONNECTION REFUSED - 521 likely occurring!")
send_alert("CRITICAL: Origin server refusing connections")
return False
except requests.exceptions.Timeout:
print(f"[{datetime.now()}] Origin server timeout - 522 likely occurring!")
send_alert("WARNING: Origin server timeout")
return False
def send_alert(message):
# Send email, Slack notification, PagerDuty, etc.
pass
# Monitor every 30 seconds
while True:
check_origin_health()
time.sleep(30)Try It Yourself
To simulate a 521 error for testing:
-
Temporarily stop your origin server:
sudo systemctl stop nginx -
Try accessing your site through Cloudflare
-
Observe the 521 error
-
Restart your server:
sudo systemctl start nginx
Related Status Codes
- 522 Connection Timed Out - Cloudflare timeout waiting for origin
- 523 Origin Is Unreachable - Cannot route to origin
- 524 A Timeout Occurred - Origin didn’t respond in time
- 520 Web Server Returned an Unknown Error - Generic Cloudflare error
- 503 Service Unavailable - Standard HTTP server unavailable
Frequently Asked Questions
What does Cloudflare error 521 mean?
A 521 error means Cloudflare cannot connect to your origin server because it is down or refusing connections. The server is unreachable from Cloudflare.
How do I fix a 521 error?
Verify your origin server is running, check that your web server (nginx, Apache) is started, ensure firewall allows Cloudflare IPs, and verify the correct ports are open.
What causes 521 errors?
Common causes include origin server crashed or stopped, firewall blocking Cloudflare IPs, web server not listening on expected ports, or server overloaded and refusing connections.
How do I whitelist Cloudflare IPs?
Add Cloudflare IP ranges to your firewall allowlist. Cloudflare publishes their IP ranges at cloudflare.com/ips. Update your firewall rules to allow these IPs on ports 80 and 443.