Error Code 521 and How To Fix It

Key takeaways: 

• Error 521 happens when Cloudflare can’t connect to your origin web server, usually due to DNS, firewall, or server issues. 
• Fix Error 521 by checking your server, SSL/TLS settings, and allowing Cloudflare’s IPs through your firewall. 
• Regularly monitor and maintain your server to avoid future errors and keep your site running smoothly. 

When you visit a website and encounter an error like “Error 521: Web server is down,” it can be frustrating. You may spend hours trying to figure out why it happened and how to fix it. If you’re a business owner, this error can damage your rankings in search results pages, lead to dissatisfied customers, and even cause lost sales. 

This article will explain what Error 521 is, why it happens, and provide practical steps to resolve it. We’ll help you fix the issue and ensure your website stays online without unnecessary downtime. 

What is error 521?

Error Code 521, also known as “Web server is down”, happens when Cloudflare cannot establish a connection with your server. 

This usually happens when the original server (the actual server hosting your website) is either offline or actively refusing connections.  

What is Cloudflare and how does it work? 

Cloudflare works as a middleman between your website’s server and your visitors. It helps deliver content more efficiently by caching and serving data from multiple locations worldwide.  

It also provides security features like Distributed denial of service (DDoS) protection and blocks malicious traffic before it reaches your server. It helps handle incoming traffic, filter it, and forward it to your server.  

However, Cloudflare cannot do this effectively without a stable connection to your server. If there are issues with the server, it can’t function properly, and that’s why you get an issue like Error 521. 

What causes error 521? 

Error 521 can happen for a few different reasons. Below are the most common causes that you may run into: 

• Misconfigured DNS settings 
• Cloudflare IP addresses are blocked 
• SSL/TLS configuration issues 
• Cloudflare’s “Under Attack” mode 
• Network or connection problems 

Let’s explain each one in detail: 

Misconfigured DNS settings 

The domain name system (DNS) is responsible for directing web traffic to the correct server. If your DNS settings are incorrect, Cloudflare won’t be able to find your server, resulting in Error 521.  

Always ensure that your domain address records (A) and canonical name records (CNAME) point to the correct IP address of your origin server. If these are misconfigured, Cloudflare can’t reach your server. 

Cloudflare’s IP addresses are blocked 

If your original web server’s firewall is set up to block Cloudflare’s IP addresses, it won’t allow Cloudflare to connect. Firewalls or security software can mistakenly block trusted connections if they aren’t configured correctly.  

This happens when security rules are too strict and prevent Cloudflare’s IPs from accessing the server. When Cloudflare can’t reach the server, Error 521 appears. 

SSL/TLS configuration issues 

Secure sockets layer (SSL) and transport layer security (TLS) are protocols that encrypt the connection between your server and Cloudflare. If there’s a mismatch between the SSL/TLS settings on your server and Cloudflare, they won’t be able to establish a secure connection.  

This can happen if your server has expired SSL certificates, or if Cloudflare is set to use a different SSL mode than what’s configured on the server. If these settings are incompatible, Error 521 is triggered.  

Make sure both your server and Cloudflare’s settings match and are configured for secure communication. 

Cloudflare’s “under attack” mode 

Cloudflare’s “I’m Under Attack” mode is a feature designed to protect your website from DDoS attacks. It filters out suspicious traffic by presenting a JavaScript challenge for visitors before they can access the site.  

However, if not used properly, this feature can block legitimate traffic, including Cloudflare’s own requests to your server.  

When Cloudflare tries to connect to your server while in “Under Attack” mode, it might get blocked, resulting in Error 521. 

Network or connection problems 

Sometimes, the issue can be as simple as a temporary network problem or a server timeout. Cloudflare needs to establish a connection with your server, and if there’s a delay or the server is too busy to respond, Error 521 can occur.  

This could also be due to issues like high traffic volumes, insufficient server resources, or faulty network equipment. 

How to fix error code 521 

Troubleshooting error code 521 doesn’t need to be complicated; it just needs the right process. Here’s how you can fix it: 

1. Make sure your origin server is up and running. 
2. Check your SSL/TSL settings. 
3. Allow Cloudflare’s IP addresses through your firewall. 
4. Disable mod_reqtimeout and mod_antiloris. 
5. Review firewall and security tools. 
6. Restart your web server. 
7. Contact your hosting provider if all else fails. 

Step 1. Make sure your origin server is up and running 

Always ensure your origin server is online and responsive. Cloudflare can’t connect to your server if it’s down or not responding to requests. 

Here’s how to check your server’s status: 

• Ping your server. Use the command ping yourdomain.com in your terminal (Mac/Linux) or Command Prompt (Windows). If you receive a response, the server is online. 
• Check HTTP status using cURL. cURL stands for Client URL and is a tool used to check your server’s status. To do this, you can run curl -I yourdomain.com in the terminal. This command shows if your server is responding correctly, with codes like 200 OK for success or 521 for errors, helping you identify the issue. 
• Check order usage. Check your server’s rate limits or request handling settings. Too many incoming requests might be rejected, which triggers the 521 error. Reducing the number of simultaneous connections allowed or adjusting the request handling settings can help. 
• Check server status using external tools. You can also use services like Pingdom or GTMetrix to check if your server is reachable globally. If the server is down, contact your hosting provider immediately to get it back online. 

Step 2. Check your SSL/TLS settings 

If your SSL or TLS settings are not properly configured, Cloudflare won’t be able to establish a secure connection. Here’s how to check and fix your SSL/TLS settings: 

1. Verify SSL certificate. Check if your SSL certificate is valid, not expired, and properly installed. You can use SSL Labs to test if your SSL certificate is set up correctly. 

2. Choose the correct SSL mode on Cloudflare. 

• Flexible SSL. If your server doesn’t have an SSL certificate, this mode allows Cloudflare to connect via HTTP but still encrypts traffic between Cloudflare and the visitor. 
• Full SSL. If your server has an SSL certificate, choose this mode. It ensures Cloudflare connects using HTTPS, but the connection from Cloudflare to your server can still be over HTTP. 
• Full SSL (Strict). The most secure option. Cloudflare will only connect to your server using HTTPS and ensures complete encryption. This option requires both Cloudflare and your server to have valid SSL certificates. Make sure the Cloudflare origin certificate is installed on your server. 

3. Adjust settings as needed. After choosing the correct SSL mode, check if both your server and Cloudflare are configured for the same SSL/TLS version to prevent compatibility issues.  

Step 3. Allow Cloudflare’s IP addresses through your firewall 

Your server firewall may sometimes block Cloudflare’s connection, thinking it’s malicious traffic. To fix this, you need to whitelist Cloudflare’s IP addresses in your firewall settings. Here’s how you can whitelist Cloudflare IPs: 

1. Open the file manager.  
2. Select the folder related to the WordPress installation, this is usually www or public_html.  
3. In the .htaccess file, add Cloudflare IPs. For a single IP, add allow from before the address. It should look like this: 

For multiple IPs, add spaces between each IP address. 

You can also unblock Cloudflare IP addresses using the IP Blocker in your cPanel account. To use IP Blocker in cPanel, follow these steps: 

1. Log into your cPanel account.  
2. Find and select IP Blocker from the Security section.  
3. Enter Cloudflare’s IP ranges in the IP Address or Domain text box. Then, you’ll see the list of blocked IP addresses.  
4. Go to the appropriate IP address, and from the Actions column, click Delete.  
5. Click Remove IP. 

Step 4. Disable mod_reqtimeout and mod_antiloris 

Sometimes, mod_reqtimeout and mod_antiloris can interfere with Cloudflare’s ability to connect to your server. These modules block and slow HTTP requests and prevent certain types of attacks, but they can also mistakenly flag legitimate traffic from Cloudflare as malicious.  

If you suspect these modules are causing the issue, consider temporarily disabling them. Disabling mod_reqtimeout and mod_antiloris will prevent your server from blocking Cloudflare’s requests, which might resolve the error.  

Step 5. Review firewall and security tools 

Some security tools or additional firewall settings may block Cloudflare’s attempts to connect to your server. This can happen if Cloudflare’s IP addresses are mistakenly flagged as suspicious. 

How to resolve this: 

1. Review your firewall. Make sure that your server’s firewall is configured to allow Cloudflare’s IP addresses. If you’re using cPanel, you can manually add Cloudflare’s IPs to the whitelist. 
2. Check additional security plugins. If you use plugins like mod_security (for Apache) or other server-side security measures, ensure they aren’t mistakenly blocking legitimate Cloudflare traffic. 
3. Adjust security rules. If your server is using advanced security settings or services, temporarily disable them to check if they are the cause of the block. Once identified, adjust the settings to allow Cloudflare. 

Step 6. Restart your web server 

Sometimes, Error 521 can be caused by temporary issues on your server that a simple restart can fix. This will clear up any caching problems, connection timeouts, or other minor glitches. Here’s how to restart your server: 

• Use cPanel. If your hosting provider offers cPanel, you can restart your server from the Server Reboot option. 
• Use SSH. If you have Secure Shell (SSH) access, run the command sudo reboot to restart your server. 
• Confirm server status. After restarting, confirm that your server is back online and that Error 521 is resolved. 

Step 7. Contact your hosting provider if all else fails 

If none of the previous steps resolved the error, reach out to your hosting provider. They have more access to your server and can check for issues that may be outside of your control. 

Let them know you’ve gone through troubleshooting steps like checking DNS, whitelisting Cloudflare IPs, and verifying SSL settings. 

Your hosting provider can check for server-side issues like network configuration, server overload, or issues with the web server software. 

Fix Error 521 fast and keep your site online 

Error 521 can be frustrating, especially when it leads to downtime and disrupts your site’s performance. But the good news is that it can be fixed. Always check if your server is online, review SSL/TLS settings, and allow Cloudflare’s IP addresses through your firewall. But remember, regularly monitoring your server and performing maintenance will help prevent future errors and keep your website running smoothly. 

If you’re looking to enhance your website, security, and server performance, explore what Network Solutions can do for you. We’re here to guide you through every step of your business’ success! 

Frequently asked questions