521 Web Server Is Down
The HTTP 521 Web Server Is Down status code is an unofficial server error specific to Cloudflare. This error occurs when Cloudflare is unable to establish a TCP connection to the origin server.
Usage
Cloudflare is a content delivery network acting as a reverse proxy between clients and origin servers. The 521 error means the origin server actively refused the connection on port 80 (HTTP) or port 443 (HTTPS).
Common causes include:
- The origin web server process has crashed or is not running.
- A firewall on the origin server is blocking Cloudflare IP addresses.
- The origin server's hosting provider is experiencing an outage.
- The origin is configured to listen on a different port than expected.
Note
Allowlisting Cloudflare's published IP ranges on the origin firewall is a standard fix for this error.
SEO impact
Search engines treat Cloudflare 521 responses as server errors. Persistent 521 responses reduce crawl rate and prevent indexing of affected URLs. Restoring the origin server connection resolves crawling disruptions.
Unlike 522 Connection Timed Out, where the connection attempt hangs, a 521 indicates an immediate rejection (TCP RST or connection refused).
Example
A client requests a page through Cloudflare. The origin server refuses the connection, so Cloudflare returns a 521 error page.
Request
GET / HTTP/1.1
Host: www.example.re
Accept: text/html
Response
HTTP/1.1 521 Web Server Is Down
Date: Sun, 02 Mar 2026 10:20:00 GMT
Content-Type: text/html
Server: cloudflare
CF-RAY: 8a1b2c3d4e5f6-LAX
<html>
<head><title>521 Origin Down</title></head>
<body>
<h1>Error 521</h1>
<p>Web server is down</p>
</body>
</html>
How to fix
Confirm the origin web server process (Apache, Nginx,
LiteSpeed) is running and accepting connections. Check
with systemctl status nginx or the equivalent for the
server in use. If the process crashed, review error logs
for the root cause before restarting.
Allowlist all Cloudflare IP ranges in the origin
firewall. Add every address from cloudflare.com/ips
to iptables, security groups, or the hosting provider's
firewall panel. Blocking Cloudflare IPs is the most
common cause of 521 errors.
The required listening port depends on the Cloudflare SSL/TLS mode:
- Flexible: port 80
- Full or Full (Strict): port 443
Verify the origin web server binds to the correct port
for the active SSL/TLS mode. Running ss -tlnp or
netstat -tlnp on the origin shows active listeners.
If the SSL/TLS mode is Full or Full (Strict), the origin needs a valid SSL certificate. Install a free Cloudflare Origin CA certificate or a certificate from a public certificate authority. A missing or expired certificate on port 443 causes the connection to be refused.
Check whether the hosting provider rate-limits inbound connections. Some shared hosts throttle traffic from proxy networks. Request an exception for Cloudflare IP ranges if rate limiting is active.
Takeaway
The 521 Web Server Is Down status code is a Cloudflare-specific error indicating the origin server refused the TCP connection on the expected port.
See also
- 520 Web Server Is Returning an Unknown Error
- 522 Connection Timed Out
- 523 Origin Is Unreachable
- Troubleshooting Cloudflare Errors
- HTTP status codes