Introduction

The error message “Error 521: Web server is down” indicates an issue with the server. That is Cloudflare’s error message when the origin server does not respond to Cloudflare’s request.

This guide explains common causes and provides methods to troubleshoot and resolve error 521.

Prerequisites:

• Access to the Cloudflare account associated with the domain affected by the error.
• Origin web server access.

What Is Error 521?

When a user wants to visit a website that uses Cloudflare’s content delivery network (CDN), the following happens:

1. The web browser attempts to connect to Cloudflare, and
2. Cloudflare tries to connect to the origin web server to display the content.

Error 521 occurs when Cloudflare is unable to connect to the website’s origin server.

What Causes Error 521?

The following issues cause Error 521: Web server is down:

• Origin web server is offline. The server is either offline or there is an issue with Apache or Nginx.
• Blocked/blacklisted Cloudflare IP addresses. All connection requests come via Cloudflare’s IPs. The origin server might have a server-side security configuration that blocks an IP address if it sends too many requests.
• Configuration issues with the origin web server. Servers must be specifically configured to work with a CDN. Error 521 might be due to a misconfigured server.
• Dropped packets due to Apache modules for Slowloris Denial of Service prevention. Security modules for Apache may block requests coming from Cloudflare if not configured properly.

How to Troubleshoot and Fix Error 521

Follow the steps below to troubleshoot and resolve error 521.

1. Check the Origin Server

To troubleshoot Cloudflare’s error 521, first check whether the origin server is online. This can be done by checking the server’s HTTP status code. 

There are several ways to check the HTTP status of a website, outlined below. 

Check HTTP Status Using cURL

Open the command prompt as an administrator (or terminal if you are using Mac or Linux), and run the curl command: 

curl --silent --output /dev/null --write-out "%{http_code}" https://example.site 

The additional curl command options do the following:

• --silent – Hides the progress bar (does not print the process of fetching the information).
• --output – Prints an output.
• /dev/null – Suppress printing the entire HTML body.
• --write-out “%{http_code}” – Specifies the requested data/header to print the HTTP status code.

The output returns HTTP status code 200 if the server is up and running. A 5xx HTTP status code (for example, 500 – internal server error) indicates an issue with the origin server. 

Check HTTP Status via Online HTTP Header Checker 

Open any online HTTP header checker and paste the website’s URL or IP address into the designated field. 

The result will be similar to the following image. The HTTP 200 status code indicates the server is up and running.

Review Origin Server Error Logs 

If the output returns an 5xx HTTP status code (server-side errors), review the server’s error log to try and identify the root cause of the issue.

Server error logs can be accessed:

• Using a graphical user interface (for servers managed with a server management application)
• Via the terminal.

If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions:

• FreeBSD – /var/log/httpd-error.log
• Debian and Ubuntu – /var/log/apache2/error.log
• RHEL, Red Hat, CentOS, and Fedora – /var/log/httpd/error_log

Nginx error logs on the most popular Linux distributions, such as Ubuntu, Debian and CentOS, are located in /var/log/nginx.

If web server error logs are inaccessible to you, contact your hosting provider. 

2. Whitelist Cloudflare IP Addresses and Ports

Cloudflare is the mediator between a private firewall and origin server. Every connection attempt made to a web page is processed by Cloudflare and directed to the origin server via a set of IP addresses and through specific network ports. 

For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between Cloudflare and the origin server is interfered by the following:

• IP deny rules specified in .htaccess.
• Firewall rules that restrict communication with Cloudflare.
• Disabled ports through which Cloudflare communicates with the origin server.
• Rate limiting and other types of of server-side restrictions.

These issues can be resolved by:

• Checking .htaccess and firewall rules.
• Whitelisting Cloudflare IPs.
• Enabling the right ports.

Whitelist IP Addresses via .htaccess

To whitelist Cloudflare’s IP addresses in the .htaccess file, add all the addresses in the line starting with allow from all and separate individual IP addresses with spaces. 

Whitelist IP Addresses via Firewall

The process of whitelisting IP addresses will vary from one firewall to another. As an example, this guide focuses on updating iptables rules. For other popular firewalls, refer to our articles on How to Use firewalld on CentOS 7 and How to Set Up UFW on Ubuntu.

To allow incoming connections from Cloudflare’s IP addresses in iptables: 

1. Open the Linux terminal.
2. Connect to the server via SSH.
3. Run the following command for every Cloudflare IP address (replace the example IP address with Cloudflare’s): 

sudo iptables -A INPUT -s 192.168.0.1 --dport 443 -j ACCEPT 

This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are: 

• -A – Adds rule to the rule chain.
• INPUT – Specifies that the rule refers to all incoming connections.
• -s – Specifies the source of traffic.
• -j ACCEPT – Specifies what action should be taken with the data packets (accept).
• --dport 443 – Specifies the destination port number of a protocol – where to direct the packets. Open port 443 for connections on encrypted networks.

Optional parameters include:

• -I – Specifies the network interface whose traffic the filter applies to.
• -p – Specifies the network protocol filtering incoming traffic (TCP, UDP, SCTP, UDP-lite, ICMPv6, etc.) 

If whitelisting Cloudflare’s IP addresses does not fix error 521, contact your hosting provider to check whether the issue is on their side. 

3. Confirm That an SSL Certificate Is Installed

If Cloudflare IPs are whitelisted and access to port 443 is enabled, but error 521 persists, the issue may lie in your website’s security certificate. 

Cloudflare requires a valid security certificate – the Cloudflare Origin Certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate will cause error 521 or 526 to appear. 

Whether you have an SSL certificate or want to create one using Cloudflare, you will have to go through the process of creating an Origin CA security certificate:

1. Log in to Cloudflare.
2. Choose the domain you want to install the certificate on.
3. Navigate to SSL/TLS > Origin Server.
4. Click Create Certificate.
5. Choose whether you want to:
   1. Generate a Cloudflare certificate (Generate private key and CSR with Cloudflare)
   2. Use an existing third-party certificate (Use my private key and CSR)
6. Specify the hostnames the certificate should apply to (root zone and first-level wildcard hostname are included by default)
7. Specify the expiration date of the certificate
8. Click Next
9. Choose the key format:
   1. PEM, DER – for servers using OpenSSL (Apache and NGINX)
   2. PKCS#7 (.p7b) – for servers using Windows and Apache Tomcat
10. Save the origin certificate and private key into separate files 
11. Click OK

You now have an Origin CA security certificate that must be added to the origin server. To do this:

1. Upload the certificate to your origin web server
2. Update your web server configuration
3. Enable SSL and port 443

Some origin web servers will also require a Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflare’s documentation.

4. Check mod_security

If the mod_security Apache module acts as the origin server’s firewall, its core rules could be blocking Cloudflare requests, causing error 521 to appear. 

If you are using mod_security, ensure that the latest version is being used and that none of the rules are blocking Cloudflare’s IP addresses. 

5. Disable mod_antiloris and mod_reqtimeout

mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris Denial-of-Service (DoS) attacks by limiting the number of connections from unique IP addresses within a specified time frame. 

Cloudflare is a reverse proxy, meaning it processes requests and directs them to the origin server. This is completed over a limited range of IP addresses. With mod_antiloris and mod_reqtimeout set up, once a Cloudflare IP address exceeds the connection limit, every following connection attempt from that address results in dropped packets. 

To resolve the issue, disable and unload the modules so Cloudflare can work uninterrupted. 

6. Check Railgun Configuration

Railgun is a WAN optimization protocol developed by Cloudflare to increase connection speed.  

Improper Railgun configuration causes the error 521 to appear, accompanied by the “railgun.wan_error connection failed” error message. 

To resolve the issue, disable Railgun so the website can be accessed and review the configuration. If you require assistance, reach out to Cloudflare Support. 

7. Contact Cloudflare Support 

If the troubleshooting methods did not help to locate the issue, contact Cloudflare Support. A representative will guide you through gathering the required information and further troubleshooting. 

Conclusion

You now know what causes the “Error 521: Web server is down” error message and how to troubleshoot and fix it.

Use the information provided in this guide to fix error 521 and prevent it from happening in the future.

Error 521 is only one of numerous error messages that can appear when visiting a website that uses Cloudflare’s CDN. Another common error code is 520: Web Server is Returning an Unknown Error. Check out our guide that explains what error 520 means and how to fix it.