Cloudflare Error 521: What It Means and How to Fix It

What Cloudflare 521 actually means

When you visit a Cloudflare-proxied site, your browser connects to a Cloudflare edge node, which then opens a second connection to the origin server. 521 fires when that second connection gets a TCP RST (connection refused) — the origin's TCP stack rejected it. This is distinct from 522 (timeout, no response) and 523 (origin unreachable via DNS). The most common cause is the web server process not running; the second most common is a firewall blocking Cloudflare's IP ranges while allowing direct traffic.

Most likely causes (ranked)

1. Web server process not running on the origin (Nginx/Apache crashed or stopped)
2. Firewall blocking Cloudflare's IP ranges — only origin IP is allowed inbound
3. Hosting panel firewall blocking port 80 or 443 on the origin
4. Web server bound to localhost only (127.0.0.1) instead of all interfaces (0.0.0.0)
5. SELinux or AppArmor policy preventing the web server from accepting connections

How to fix Cloudflare 521

Step 1: Verify the web server is running

SSH into your origin server and check the web server status:

systemctl status nginx
# or
systemctl status apache2

If stopped, start it: systemctl start nginx. Check /var/log/nginx/error.log for crash reasons.

Step 2: Whitelist Cloudflare IP ranges

Cloudflare publishes its current IP ranges at cloudflare.com/ips. Add all listed IPv4 and IPv6 ranges to your server firewall, allowing inbound TCP on ports 80 and 443. With UFW:

ufw allow from 103.21.244.0/22 to any port 80,443

Repeat for each Cloudflare CIDR block.

Step 3: Check OS-level firewall rules

Run iptables -L -n | grep -E '80|443' or ufw status verbose. Ensure ports 80 and 443 have ACCEPT rules and Cloudflare IPs are not being caught by a DROP rule earlier in the chain.

Step 4: Check hosting panel firewall

Many VPS hosts (DigitalOcean, Linode, Vultr) and shared hosts (cPanel, Plesk) have separate firewall controls in their dashboard. Verify ports 80 and 443 are open there in addition to the OS firewall.

Step 5: Test by pausing Cloudflare

In the Cloudflare dashboard → Overview → Pause Cloudflare on Site. Access the site via the origin IP. If it loads, the web server is functional and the issue is in the Cloudflare-to-origin path — confirm firewall rules allow Cloudflare IPs.

Frequently Asked Questions

What is the difference between 521 and 522?

521: the origin actively refused the connection — TCP RST received (web server down or firewall blocking). 522: the connection timed out — Cloudflare sent TCP SYN but the origin never responded (server unreachable or dropping packets silently). 521 is an explicit refusal; 522 is silence.

Can visitors fix Cloudflare 521?

No. 521 is entirely server-side — Cloudflare cannot reach the origin. Visitors can retry in case the error was brief, but the fix requires server-side action from the site operator.