Error 521: What Causes It and How to Fix It

Introduction

Error 521 is an HTTP status code that indicates a connection issue between a web server and a client. It is usually caused by a server-side issue, such as a misconfigured firewall or a server that is down. It can also be caused by a client-side issue, such as a slow internet connection or a browser that is not compatible with the website. Fortunately, there are a few steps you can take to fix this error. In this article, we will discuss what causes Error 521 and how to fix it.

Error 521: What Causes It and How to Fix It

Error 521 is an HTTP status code that indicates a web server is refusing to respond to a request from a client. This error is usually caused by a server-side issue, such as a misconfigured firewall or a server that is overloaded with requests.

To fix this error, you should first check the server logs to identify the source of the problem. If the issue is related to a misconfigured firewall, you should adjust the firewall settings to allow the request to pass through. If the server is overloaded, you should consider scaling up the server resources or adding additional servers to handle the load. Additionally, you should check for any software or hardware issues that may be causing the server to become unresponsive.

Introduction

The error message “Error 521: Web server is down” indicates an issue with the server. That is Cloudflare’s error message when the origin server does not respond to Cloudflare’s request.

This guide explains common causes and provides methods to troubleshoot and resolve error 521.

how to fix cloudflare error 521: web server is down

Prerequisites:

  • Access to the Cloudflare account associated with the domain affected by the error.
  • Origin web server access.

What Is Error 521?

When a user wants to visit a website that uses Cloudflare’s content delivery network (CDN), the following happens:

  1. The web browser attempts to connect to Cloudflare, and
  2. Cloudflare tries to connect to the origin web server to display the content.

Error 521 occurs when Cloudflare is unable to connect to the website’s origin server.

Cloudflare Error 521 Web server is down

What Causes Error 521?

The following issues cause Error 521: Web server is down:

  • Origin web server is offline. The server is either offline or there is an issue with Apache or Nginx.
  • Blocked/blacklisted Cloudflare IP addresses. All connection requests come via Cloudflare’s IPs. The origin server might have a server-side security configuration that blocks an IP address if it sends too many requests.
  • Configuration issues with the origin web server. Servers must be specifically configured to work with a CDN. Error 521 might be due to a misconfigured server.
  • Dropped packets due to Apache modules for Slowloris Denial of Service prevention. Security modules for Apache may block requests coming from Cloudflare if not configured properly.

How to Troubleshoot and Fix Error 521

Follow the steps below to troubleshoot and resolve error 521.

1. Check the Origin Server

To troubleshoot Cloudflare’s error 521, first check whether the origin server is online. This can be done by checking the server’s HTTP status code. 

There are several ways to check the HTTP status of a website, outlined below. 

Check HTTP Status Using cURL

Open the command prompt as an administrator (or terminal if you are using Mac or Linux), and run the curl command: 

curl --silent --output /dev/null --write-out "%{http_code}" https://example.site 

The additional curl command options do the following:

  • --silent – Hides the progress bar (does not print the process of fetching the information).
  • --output – Prints an output.
  • /dev/null – Suppress printing the entire HTML body.
  • --write-out “%{http_code}” – Specifies the requested data/header to print the HTTP status code.

The output returns HTTP status code 200 if the server is up and running. A 5xx HTTP status code (for example, 500 – internal server error) indicates an issue with the origin server. 

how to use the curl command to check a server's http status

Check HTTP Status via Online HTTP Header Checker 

Open any online HTTP header checker and paste the website’s URL or IP address into the designated field. 

The result will be similar to the following image. The HTTP 200 status code indicates the server is up and running.

how to check http status code using aonline http header checker

Review Origin Server Error Logs 

If the output returns an 5xx HTTP status code (server-side errors), review the server’s error log to try and identify the root cause of the issue.

Server error logs can be accessed:

  • Using a graphical user interface (for servers managed with a server management application)
  • Via the terminal.

If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions:

  • FreeBSD – /var/log/httpd-error.log
  • Debian and Ubuntu – /var/log/apache2/error.log
  • RHEL, Red Hat, CentOS, and Fedora – /var/log/httpd/error_log

Nginx error logs on the most popular Linux distributions, such as Ubuntu, Debian and CentOS, are located in /var/log/nginx.

Note: The user accessing the log must have write access to the error log directory.

If web server error logs are inaccessible to you, contact your hosting provider. 

2. Whitelist Cloudflare IP Addresses and Ports

Cloudflare is the mediator between a private firewall and origin server. Every connection attempt made to a web page is processed by Cloudflare and directed to the origin server via a set of IP addresses and through specific network ports

For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between Cloudflare and the origin server is interfered by the following:

  • IP deny rules specified in .htaccess.
  • Firewall rules that restrict communication with Cloudflare.
  • Disabled ports through which Cloudflare communicates with the origin server.
  • Rate limiting and other types of of server-side restrictions.

These issues can be resolved by:

  • Checking .htaccess and firewall rules.
  • Whitelisting Cloudflare IPs.
  • Enabling the right ports.

Important: Some hosting providers whitelist Cloudflare IPs by default. Consult your hosting provider before troubleshooting.

Whitelist IP Addresses via .htaccess

To whitelist Cloudflare’s IP addresses in the .htaccess file, add all the addresses in the line starting with allow from all and separate individual IP addresses with spaces. 

how to whitelist ip addresses via .htaccess

Whitelist IP Addresses via Firewall

The process of whitelisting IP addresses will vary from one firewall to another. As an example, this guide focuses on updating iptables rules. For other popular firewalls, refer to our articles on How to Use firewalld on CentOS 7 and How to Set Up UFW on Ubuntu.

To allow incoming connections from Cloudflare’s IP addresses in iptables: 

  1. Open the Linux terminal.
  2. Connect to the server via SSH.
  3. Run the following command for every Cloudflare IP address (replace the example IP address with Cloudflare’s): 
sudo iptables -A INPUT -s 192.168.0.1 --dport 443 -j ACCEPT 

Note: You can pass multiple IP address after the -s option. Just make sure to use commas between each individual IP address.

This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are: 

  • -A – Adds rule to the rule chain.
  • INPUT – Specifies that the rule refers to all incoming connections.
  • -s – Specifies the source of traffic.
  • -j ACCEPT – Specifies what action should be taken with the data packets (accept).
  • --dport 443 – Specifies the destination port number of a protocol – where to direct the packets. Open port 443 for connections on encrypted networks.

Note: When Full (Strict) protection (SSL/TLS mode) is active, Cloudflare proxies all traffic to port 443 – the port used for secure connections over encrypted networks.

Optional parameters include:

  • -I – Specifies the network interface whose traffic the filter applies to.
  • -p – Specifies the network protocol filtering incoming traffic (TCP, UDP, SCTP, UDP-lite, ICMPv6, etc.) 

Note: The parameters must always be written in the following order: -A, -i, -p, -s, --dport, -j.

If whitelisting Cloudflare’s IP addresses does not fix error 521, contact your hosting provider to check whether the issue is on their side. 

3. Confirm That an SSL Certificate Is Installed

If Cloudflare IPs are whitelisted and access to port 443 is enabled, but error 521 persists, the issue may lie in your website’s security certificate. 

Cloudflare requires a valid security certificate – the Cloudflare Origin Certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate will cause error 521 or 526 to appear. 

Whether you have an SSL certificate or want to create one using Cloudflare, you will have to go through the process of creating an Origin CA security certificate:

  1. Log in to Cloudflare.
  2. Choose the domain you want to install the certificate on.
  3. Navigate to SSL/TLS > Origin Server.
  4. Click Create Certificate.
  5. Choose whether you want to:
    1. Generate a Cloudflare certificate (Generate private key and CSR with Cloudflare)
    2. Use an existing third-party certificate (Use my private key and CSR)
  6. Specify the hostnames the certificate should apply to (root zone and first-level wildcard hostname are included by default)
  7. Specify the expiration date of the certificate
  8. Click Next
  9. Choose the key format:
    1. PEM, DER – for servers using OpenSSL (Apache and NGINX)
    2. PKCS#7 (.p7b) – for servers using Windows and Apache Tomcat
  10. Save the origin certificate and private key into separate files 
  11. Click OK

You now have an Origin CA security certificate that must be added to the origin server. To do this:

  1. Upload the certificate to your origin web server
  2. Update your web server configuration
  3. Enable SSL and port 443

Some origin web servers will also require a Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflare’s documentation.

Note: According to Cloudflare, the EEC version should not be used with Apache cPanel.

4. Check mod_security

If the mod_security Apache module acts as the origin server’s firewall, its core rules could be blocking Cloudflare requests, causing error 521 to appear. 

If you are using mod_security, ensure that the latest version is being used and that none of the rules are blocking Cloudflare’s IP addresses. 

5. Disable mod_antiloris and mod_reqtimeout

mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris Denial-of-Service (DoS) attacks by limiting the number of connections from unique IP addresses within a specified time frame. 

Cloudflare is a reverse proxy, meaning it processes requests and directs them to the origin server. This is completed over a limited range of IP addresses. With mod_antiloris and mod_reqtimeout set up, once a Cloudflare IP address exceeds the connection limit, every following connection attempt from that address results in dropped packets. 

To resolve the issue, disable and unload the modules so Cloudflare can work uninterrupted. 

6. Check Railgun Configuration

Railgun is a WAN optimization protocol developed by Cloudflare to increase connection speed.  

Improper Railgun configuration causes the error 521 to appear, accompanied by the “railgun.wan_error connection failed” error message. 

To resolve the issue, disable Railgun so the website can be accessed and review the configuration. If you require assistance, reach out to Cloudflare Support. 

7. Contact Cloudflare Support 

If the troubleshooting methods did not help to locate the issue, contact Cloudflare Support. A representative will guide you through gathering the required information and further troubleshooting. 

Conclusion

You now know what causes the “Error 521: Web server is down” error message and how to troubleshoot and fix it.

Use the information provided in this guide to fix error 521 and prevent it from happening in the future.

Error 521 is only one of numerous error messages that can appear when visiting a website that uses Cloudflare’s CDN. Another common error code is 520: Web Server is Returning an Unknown Error. Check out our guide that explains what error 520 means and how to fix it.

Error 521: What Causes It and How to Fix It

Error 521 is an HTTP status code that indicates a connection problem between the web server and the origin server. It is usually caused by a server-side issue, such as a misconfigured firewall or a server that is down. In some cases, it can also be caused by a client-side issue, such as a slow internet connection or a browser that is not compatible with the website.

What Causes Error 521?

Error 521 is typically caused by a server-side issue. This could be due to a misconfigured firewall, a server that is down, or a problem with the origin server. It can also be caused by a client-side issue, such as a slow internet connection or a browser that is not compatible with the website.

How to Fix Error 521

If you are experiencing Error 521, the first step is to check the server-side issue. Make sure that the firewall is properly configured and that the server is up and running. If the issue is on the client-side, try using a different browser or a faster internet connection.

If the issue persists, contact your web hosting provider for assistance. They should be able to help you troubleshoot the issue and get your website back up and running.

Jaspreet Singh Ghuman

Jaspreet Singh Ghuman

Jassweb.com/

Passionate Professional Blogger, Freelancer, WordPress Enthusiast, Digital Marketer, Web Developer, Server Operator, Networking Expert. Empowering online presence with diverse skills.

jassweb logo

Jassweb always keeps its services up-to-date with the latest trends in the market, providing its customers all over the world with high-end and easily extensible internet, intranet, and extranet products.

Contact
San Vito Al Tagliamento 33078
Pordenone Italy
Item added to cart.
0 items - 0.00
Open chat
Scan the code
Hello 👋
Can we help you?