sfw/fix
Error 521 critical

Cloudflare Error 521: Web Server Is Down

Cloudflare reached your origin IP but the TCP connection was refused, so every visitor gets a 521 instead of the site.

What you see

Error 521
Web server is down
The web server is not returning a connection. As a result, the web page is not displaying.

What’s actually happening

Every page on the domain returns the same Cloudflare-branded 521. The edge itself stays up, so the error page loads instantly, but nothing from your application gets through. Hit the origin IP directly, bypassing Cloudflare, and it usually fails to connect too. That confirms the break is at the server, not the proxy.

Common causes

  • The web server process (nginx, Apache, Caddy) crashed or was stopped, so nothing is listening on port 80/443.
  • A host firewall (ufw, firewalld, an AWS security group, raw iptables) is dropping or rejecting Cloudflare's IP ranges.
  • The origin binds only to 127.0.0.1 instead of the public interface, so outside connections get refused.
  • SSL mode mismatch: Cloudflare is set to Full or Full (strict) but the origin has no listener on 443.
  • The box ran out of memory or hit a process/connection ceiling and the OOM killer reaped the web server.

How to fix it

  1. Confirm the web server is actually runningSSH into the origin and run `systemctl status nginx` (or apache2/httpd). If it's dead, start it and read `journalctl -u nginx --since '10 min ago'` for the reason. Before any reload, run `nginx -t` to catch a config typo that's blocking startup.
  2. Check what's listening on the web portsRun `ss -tlnp | grep -E ':80|:443'`. You want the server bound to 0.0.0.0 or the public IP, not just 127.0.0.1. If it's localhost-only, fix the `listen` directive and reload.
  3. Allow Cloudflare's IP ranges through the firewallPull the live list from cloudflare.com/ips and allow it. With ufw: `for ip in $(curl -s https://www.cloudflare.com/ips-v4); do ufw allow from $ip to any port 443 proto tcp; done`. Do the IPv6 list too. On AWS, edit the security group inbound rules.
  4. Match Cloudflare's SSL mode to the originIn the dashboard under SSL/TLS: if the origin serves plain HTTP on port 80 only, use Flexible. For Full (strict), install a valid cert (a Cloudflare Origin CA cert is fine) and make sure something answers on 443.
  5. Test the origin directly, skipping the edgeFrom your laptop: `curl -v --resolve example.com:443:ORIGIN_IP https://example.com/`. Connection refused points at the server or firewall; a TLS handshake error points at the cert. One command separates origin from edge.

Stop it recurring

Point an uptime check at the origin IP directly, not through Cloudflare, so a dead listener pages you before the 521 does.

Related errors

PHP Warning: failed to open stream: Permission denied

high

PHP can't read or include a file because the web-server user lacks filesystem access, often cascading into a fatal include error.

PHP Fatal Error: Allowed Memory Size Exhausted

high

A PHP script asked for more RAM than memory_limit permits, so the engine kills the request mid-execution.

PHP Fatal Error: Maximum Execution Time of 30 Seconds Exceeded

high

A PHP script ran past the max_execution_time cap, so the engine aborted it before it could finish.

508 Resource Limit Is Reached

high

Your hosting account hit its CloudLinux LVE cap for CPU, memory, or processes, so the host throttled the whole site.