Cloudflare error 521 web server is down message on a browser screen
# website errors# troubleshooting# cloudflare

Cloudflare Error 521: Web Server Is Down

Error 521 is a Cloudflare-specific error that means Cloudflare successfully reached your server at the network level, but your web server refused the connection.

Cloudflare's infrastructure is fine. Your domain's DNS is working. But the actual web server software on your machine — Nginx, Apache, or whatever you're running — isn't accepting the connection Cloudflare is trying to make.

What Causes a 521 Error?

Web Server Has Crashed or Stopped

The most common cause by far. Your Nginx or Apache process has stopped running, either from a crash, a failed restart, or being manually stopped.

Check immediately:

sudo systemctl status nginx
sudo systemctl status apache2

If it's stopped or failed, start it:

sudo systemctl start nginx
sudo systemctl start apache2

Then check error logs to understand why it stopped:

sudo journalctl -u nginx --since "1 hour ago"
sudo tail -f /var/log/nginx/error.log

Firewall Blocking Cloudflare's IP Ranges

Cloudflare routes traffic through its own network before it reaches your server. Your server sees connections coming from Cloudflare's IP ranges, not from the original visitor's IP.

If your server firewall has rules that block unknown IPs or only allow specific IPs, it may be blocking Cloudflare entirely.

Fix: Allow all of Cloudflare's published IP ranges in your firewall. Both the IPv4 and IPv6 ranges need to be permitted on ports 80 and 443.

# Example with UFW — repeat for each Cloudflare IP range
sudo ufw allow from 103.21.244.0/22 to any port 80
sudo ufw allow from 103.21.244.0/22 to any port 443

Web Server Only Listening on Localhost

If your web server is configured to only accept connections on 127.0.0.1 (localhost) rather than on your public IP or 0.0.0.0, it won't accept connections from Cloudflare.

Check your server config:

# In Nginx — this only listens locally
listen 127.0.0.1:80;

# This listens on all interfaces
listen 80;

Change it to listen on all interfaces or on your public IP specifically.

SSL/TLS Configuration Mismatch

If your Cloudflare SSL mode is set to Full or Full (Strict), Cloudflare connects to your origin on port 443. If your server isn't set up to accept HTTPS connections, the connection will be refused.

Check your Cloudflare SSL/TLS settings and make sure your origin server has SSL configured correctly. Our SSL certificate guide walks through how to set one up.

Server Under Extreme Load

If your server is completely maxed out on resources, it may not be able to accept new TCP connections at all — effectively refusing them. This shows up as a 521 even though the server process is technically running.

Check CPU, memory, and open connections:

top
free -h
ss -s

How to Distinguish 521 From Other Cloudflare Errors

Cloudflare has several similar error codes that are easy to confuse:

  • 521: Web server refused the connection (server running but rejecting connections)
  • 522: Connection timed out (Cloudflare connected but got no response)
  • 523: Origin is unreachable (Cloudflare can't reach the server at all — often a routing/IP issue)
  • 524: Timeout occurred (Cloudflare connected but the response took too long)

A 521 specifically means the connection was actively refused — your server sent back a TCP RST. It's not a timeout or an unreachable server, it's a refusal.

Step-by-Step Fix for Error 521

  1. SSH into your server and check if Nginx/Apache is running (systemctl status nginx)
  2. Restart the web server if it's stopped (systemctl restart nginx)
  3. Check logs for why it stopped (journalctl -u nginx, /var/log/nginx/error.log)
  4. Check firewall rules and ensure Cloudflare IP ranges are allowed
  5. Verify your server is listening on the right interface (not just localhost)
  6. Check SSL config if your Cloudflare mode is Full or Full (Strict)
  7. Check server load — resource exhaustion can cause connection refusals

Monitoring to Prevent 521s

A 521 error means your site is completely down for all visitors. Having uptime monitoring in place is essential — you want to know about this within a minute, not after a customer reports it.

Domain Monitor checks your website from multiple locations and sends instant alerts via email, SMS, or Slack when your site goes down. You can also monitor your Nginx or Apache server to catch problems at the infrastructure level before they cause a full outage.

More posts

What Is Generative AI? How It Works and What It Creates

Generative AI creates new content — text, images, code, and more. This guide explains how it works, what tools are available, and where it's genuinely useful versus overhyped.

Read more
What Is Cursor AI? The AI Code Editor Explained

Cursor AI is an AI-powered code editor built on VS Code. Learn what it does, how it works, and whether it's the right tool for your development workflow.

Read more
What Is Claude Opus? Anthropic's Most Powerful Model Explained

Claude Opus is Anthropic's most capable AI model, built for complex reasoning and demanding tasks. Learn what it does, how it compares, and when to use it.

Read more

Subscribe to our PRO plan.

Looking to monitor your website and domains? Join our platform and start today.

View pricing & plans