5xx codes generally are responses indicating that an error or unobtainable request occurred on the server’s side whether that is a proxy or the origin host. Server was able to identify the error and thus will not return the potentially malformed response to the client.
- Can be used as a response to any request method
- Origin server should include an explanation and the explanation which should be displayed by User-Agent, with the exception of a
- 500 Internal Server Error
- 501 Not Implemented
- 502 Bad Gateway
- 503 Service Unavailable
- 504 Gateway Timeout
- 505 HTTP Version Not Supported
- 520 Unknown Error
- 521 Web Server
- 522 Connection Timed
- 523 Origin is Unreachable
- 524 A timeout Error
- 525 SSL handshake failed
- 526 Invalid SSL certificate
- 527 Railgun Listener to Origin Error
- 530 Origin DNS Error
500 Internal Server Error (RFC7231)
Origin server has encountered an unexpected condition and was unable to fulfil request. A blanket error message for any internal errors that prevented the origin to fulfil the request and were not caught at the origin.
In the very rare event that an exception throw with Cloudflare’s edge or an internal DNS timeout occurred, Cloudflare will return a 500 with the page stating "cloudflare". If you don't see this, the issue is occurring at the origin server and you'll want to work with your hosting provider on the issue.
501 Not Implemented (RFC7231)
Origin server either does not recognize the request method, or it lacks the ability to fulfil the request. Usually, this implies future availability (e.g., an upcoming feature or web-service API).
- Cacheable by default; (i.e., unless otherwise indicated by the method definition or explicit cache controls)
502 Bad Gateway (RFC7231)
Back-end servers are not communicating correctly.Three reasons this can occur:
- Origin Server is not configured to handle the requested domain name at the targeted IP address. Maybe caused when changing DNS records; keep in mind DNS TTL determines how long a record is valid in DNS cache.
- The server at the origin is overloaded or unreachable at the time the request was made. The could be due to the server crashing, traffic spikes, or lack of connectivity to the server.
- An application or service used at your origin with is either timing out or being blocked.
If the error includes Cloudflare branding this is coming directly from the origin server:
In the unlikely case that you see a 502 error without the branding shown above but with “cloudflare” (see figure below), please file a support ticket immediately with include the output of our site’s cdn trace (go to yoursite.com/cdn-cgi/trace and copy/paste the contents). This means there are potential issues at the Cloudflare colo.
503 Service Unavailable (RFC7231)
Server is overloaded or having maintenance issues and unable to handle the request at this time.
- Retry header may be included by server to specify an appropriate time for the client to retry the request
Note not all web servers will serve this response, some will simply refuse or drop the connection. If a drop happens with communication from the origin to Cloudflare this will generate a 522 response.
Cloudflare will serve a 503 under the following circumstances:
- A 503 is returned from your origin
- I’m Under Attack mode is enabled
- Always Online feature was triggered
For more Cloudflare relevant information see: Why am I getting a 503 Error?
504 Gateway Timeout (RFC7231)
Issue while connecting to an upstream server on the backend. A gateway or proxy is trying to reach the origin server and while waiting for a response, the connection timed out.
505 HTTP Version Not Supported (RFC7231)
Server cannot or does not wish to support the HTTP version requested by the client.
- Server should indicate why they will not support that version.
Cloudflare Specific Status Codes
In order to help website owners determine why a user’s request which proxied through Cloudflare resulted in an error, Cloudflare implements custom HTTP status codes. The status codes add human-readable details to what is going on with the back end. Cloudflare generates the entire response and messaging when one of the error conditions is met. The behaviour of the origin server to Cloudflare is what determines which of these status codes will be used, but is not delivered from the origin server.
As a paying customer one can customize and brand these error pages. Having custom error pages allows providing a consistent experience for your users, even in the event of a page load error. Read more about Custom Error Pages.
520 Unknown Error from Web Server
A “catch-all” response for when the origin server returns something unexpected or something that is not tolerated/interpreted (protocol violation or empty response).
While the 520 error can be triggered by very unique and strange edge-case scenarios, they are generally caused by:
- Connection resets (following a successful TCP handshake)
- Headers exceed Cloudflare’s header size limit (over 8kb)
- Empty response from origin
- Invalid HTTP response
- HTTP response missing response headers
521 Web Server is down
Error response indicating the origin web server refused the connection from Cloudflare. This means we tried to connect to your origin on port 80 or 443 but received a 'connection refused' error from the origin. The origin server is actively refusing the request, so this is not a network error.
522 Connection Timed Out
Error response in establishing a TCP connection with the origin server and Cloudflare.
When someone visits a Cloudflare-enabled website, a connection is established between Cloudflare and the website's origin server. To establish a connection, TCP uses a three-way handshake.
- SYN: Cloudflare sends three SYN packets to the origin server.
- SYN+ACK: In response, the origin server replies with a SYN+ACK.
- ACK: Finally, Cloudflare sends an ACK back to the origin server.
At this point, both Cloudflare and the origin server have received an acknowledgement of the connection and communication is established. If the origin server does not send a SYN+ACK back to Cloudflare within 15 seconds, a 522 error will occur and the connection is closed.
Here is a diagram illustrating a successful TCP handshake:
Here is an example where the SYN+ACK is not returned from the origin server within 15 seconds, triggering the 522 timeout:
523 Origin is Unreachable
An issue from the origin web server has occurred, as it's unreachable.
524 A timeout occurred
Cloudflare was able to make a TCP connection to the origin, but the origin did not reply with an HTTP response before the connection timed out. Our edge will typically wait for an HTTP response from your server for 100 seconds.
If no response is sent by your server in that time, we close the connection and serve a 524 error page.
525 SSL handshake failed
Failure in the SSL handshake between Cloudflare and the origin server that hosts the domain. This means that Cloudflare is set to use Full SSL in the Cloudflare settings for the domain, so Cloudflare attempts to make a connection using SSL (for requests beginning in https://) to a server that hosts the domain.
526 Invalid SSL certificate
Problem validating the SSL certificate on the origin web server and the Cloudflare SSL configuration on the website is set to "Full SSL (Strict)".
More information at Error 526: Invalid SSL Certificate
527 Railgun Listener to Origin Error
The request timed out or failed after the WAN connection had been established. This could result from an interruption or anomaly upstream from the Railgun Sender in the path to the Listener at the site's origin.
The 527 error could also occur due to an issue within the host environment when the Railgun Listener is unable to complete or establish a connection to the origin server to receive a requested page:
530 Origin DNS Error
Cloudflare cannot resolve the A or CNAME record requested. Even Though Cloudflare’s Anycast address is resolving correctly, the record that should be specified in the DNS tab of your Cloudflare dashboard cannot be found or is a CNAME record to an external domain that cannot be resolved.
- The Error Message the browser will see will show a 1016 error, but the actual HTTP response code is 530
More information at Error 530: Origin DNS Error