sfw/fix
Error 520 high

Cloudflare Error 520: Web Server Returned an Unknown Error

Cloudflare got a response from your origin that it couldn't make sense of — empty, malformed, or oversized.

What you see

Error 520
Web server is returning an unknown error
What happened? The origin web server returned an empty, unknown, or unexpected response to Cloudflare.

What’s actually happening

Errors that flap — a URL works, then 520s, then works again, often with no clean pattern. 520 is Cloudflare's catch-all for 'the origin replied with something that isn't a valid HTTP response.' Because it's a grab bag, two 520s on the same site can have completely different root causes. The cf-ray header on the error page is your handle for correlating with origin logs.

Common causes

  • The origin process crashed or was killed mid-response (segfault, OOM killer, restart) and closed the connection before sending headers.
  • Response headers exceed Cloudflare's limit (total header size over 32 KB, or a single header too large) — usually runaway Set-Cookie headers.
  • The origin returned a reply with no HTTP status line or an empty body where one was expected.
  • A TCP connection reset (RST) from the origin or an in-path device before the response completed.
  • Incorrect HTTP/2-to-origin configuration, or Authenticated Origin Pulls enabled without the origin presenting the expected client cert.

How to fix it

  1. Pull the origin error log at the cf-ray timestampCopy the Ray ID off the 520 page, note the time, and grep your origin logs around it: nginx `error.log`, Apache `error_log`, and the app log (PHP-FPM, Rails, Node). A 520 nearly always leaves a fingerprint at the origin — a crash, a worker exit, a 'upstream prematurely closed connection'.
  2. Check for oversized response headersInspect headers from the origin directly: `curl -sI --connect-to example.com:443:ORIGIN_IP:443 https://example.com`. Look for a pile of Set-Cookie lines or a giant header. Trim cookies, drop debug headers, and make sure no header line blows past Cloudflare's size cap.
  3. Watch for OOM kills and crashesCheck `dmesg -T | grep -i oom` and your service manager (`journalctl -u nginx`, `journalctl -u php-fpm`). If the kernel is killing your app under load, fix the memory ceiling or worker count — the 520 is a symptom of the process dying.
  4. Test with HTTP/2 to Origin disabledIn Cloudflare's Speed → Optimization settings, turn off 'HTTP/2 to Origin' and retest. A misconfigured HTTP/2 stack at the origin can produce responses Cloudflare reads as malformed.
  5. Isolate by going DNS-only brieflyGrey-cloud the record (DNS-only) and hit the origin directly. If the bad response reproduces without Cloudflare in the path, it's 100% an origin bug. If it only happens proxied, gather a HAR with and without Cloudflare plus the cf-ray and open a support ticket.

Stop it recurring

Cap and audit your Set-Cookie output, set sane memory limits with restart-on-failure for app workers, and alert on origin 5xx so a crashing process is caught before it becomes a flapping 520.

Related errors

Cloudflare Error 522: Connection Timed Out

critical

Cloudflare opened a TCP connection to your origin but never got a reply, so the request times out.

Cloudflare Error 524: A Timeout Occurred

high

Cloudflare connected to your origin fine but the origin took too long to send back an HTTP response.

404 Not Found

high

A 404 means the page the visitor requested doesn’t exist at that URL. Here’s why it happens and how to fix it for good.

500 Internal Server Error

critical

A 500 is the server’s way of saying "something broke on my end." Generic by design — here’s how to find the real cause.