# website errors# troubleshooting# cloudflare
Cloudflare Error 521: Web Server Is Down
Error 521 is a Cloudflare-specific error that means Cloudflare successfully reached your server at the network level, but your web server refused the connection.
Cloudflare's infrastructure is fine. Your domain's DNS is working. But the actual web server software on your machine — Nginx, Apache, or whatever you're running — isn't accepting the connection Cloudflare is trying to make.
What Causes a 521 Error?
Web Server Has Crashed or Stopped
The most common cause by far. Your Nginx or Apache process has stopped running, either from a crash, a failed restart, or being manually stopped.
Check immediately:
sudo systemctl status nginx
sudo systemctl status apache2
If it's stopped or failed, start it:
sudo systemctl start nginx
sudo systemctl start apache2
Then check error logs to understand why it stopped:
sudo journalctl -u nginx --since "1 hour ago"
sudo tail -f /var/log/nginx/error.log
Firewall Blocking Cloudflare's IP Ranges
Cloudflare routes traffic through its own network before it reaches your server. Your server sees connections coming from Cloudflare's IP ranges, not from the original visitor's IP.
If your server firewall has rules that block unknown IPs or only allow specific IPs, it may be blocking Cloudflare entirely.
Fix: Allow all of Cloudflare's published IP ranges in your firewall. Both the IPv4 and IPv6 ranges need to be permitted on ports 80 and 443.
# Example with UFW — repeat for each Cloudflare IP range
sudo ufw allow from 103.21.244.0/22 to any port 80
sudo ufw allow from 103.21.244.0/22 to any port 443
Web Server Only Listening on Localhost
If your web server is configured to only accept connections on 127.0.0.1 (localhost) rather than on your public IP or 0.0.0.0, it won't accept connections from Cloudflare.
Check your server config:
# In Nginx — this only listens locally
listen 127.0.0.1:80;
# This listens on all interfaces
listen 80;
Change it to listen on all interfaces or on your public IP specifically.
SSL/TLS Configuration Mismatch
If your Cloudflare SSL mode is set to Full or Full (Strict), Cloudflare connects to your origin on port 443. If your server isn't set up to accept HTTPS connections, the connection will be refused.
Check your Cloudflare SSL/TLS settings and make sure your origin server has SSL configured correctly. Our SSL certificate guide walks through how to set one up.
Server Under Extreme Load
If your server is completely maxed out on resources, it may not be able to accept new TCP connections at all — effectively refusing them. This shows up as a 521 even though the server process is technically running.
Check CPU, memory, and open connections:
top
free -h
ss -s
How to Distinguish 521 From Other Cloudflare Errors
Cloudflare has several similar error codes that are easy to confuse:
- 521: Web server refused the connection (server running but rejecting connections)
- 522: Connection timed out (Cloudflare connected but got no response)
- 523: Origin is unreachable (Cloudflare can't reach the server at all — often a routing/IP issue)
- 524: Timeout occurred (Cloudflare connected but the response took too long)
A 521 specifically means the connection was actively refused — your server sent back a TCP RST. It's not a timeout or an unreachable server, it's a refusal.
Step-by-Step Fix for Error 521
- SSH into your server and check if Nginx/Apache is running (
systemctl status nginx) - Restart the web server if it's stopped (
systemctl restart nginx) - Check logs for why it stopped (
journalctl -u nginx,/var/log/nginx/error.log) - Check firewall rules and ensure Cloudflare IP ranges are allowed
- Verify your server is listening on the right interface (not just localhost)
- Check SSL config if your Cloudflare mode is Full or Full (Strict)
- Check server load — resource exhaustion can cause connection refusals
Monitoring to Prevent 521s
A 521 error means your site is completely down for all visitors. Having uptime monitoring in place is essential — you want to know about this within a minute, not after a customer reports it.
Domain Monitor checks your website from multiple locations and sends instant alerts via email, SMS, or Slack when your site goes down. You can also monitor your Nginx or Apache server to catch problems at the infrastructure level before they cause a full outage.
Related Articles
More posts
What Is a Subdomain Takeover and How to Prevent It
A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.
Read moreWhat Is Mean Time to Detect (MTTD)?
Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.
Read moreWhat Is Black Box Monitoring?
Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.