Generally, 5xx error codes indicate that an error or unresolvable request occurred on the server side, whether that is a proxy or the origin host. The server was able to detect the error and thus will not return the potentially malformed response to the client.
These error codes be used as a response to any request method.
The origin server should include an explanation, which should be displayed by User-Agent, with the exception of a
HEAD request. The following errors are typically returned by the origin web server.
- 500 Internal Server Error
- 501 Not Implemented
- 502 Bad gateway
- 503 Service Unavailable
- 504 Gateway Timeout
- 505 HTTP Version Not Supported
The Cloudflare-specific status codes include:
- 520 unknown error
- 521 Web server is down
- 522 Connection timed out
- 523 Origin is Unreachable
- 524 A Timeout Error
- 525 SSL handshake failed
- 526 Invalid SSL certificate
- 527 Railgun Listener to Origin Error
- 530 Origin DNS Error
500 Internal Server Error (RFC7231)
The origin web server has encountered an unexpected condition and was unable to fulfill the request. This is a blanket error message for any internal errors that prevented the origin web server from fulfilling the request and that were not caught at the origin.
In the rare event that an exception throw with the Cloudflare edge or an internal DNS timeout occurred, Cloudflare will return a 500 with the page stating "cloudflare". If you don't see this, the issue is occurring at the origin web server and you should work with your hosting provider to address the issue.
501 Not Implemented (RFC7231)
The origin web server either does not recognize the request method, or it unable to fulfill the request. Usually, this implies future availability (e.g., an upcoming feature or web-service API).
This error is cacheable by default, unless otherwise indicated by the method definition or explicit cache controls.
502 Bad Gateway (RFC7231)
Back-end web servers are not communicating correctly.Three reasons why this can occur:
- The origin web server is not configured to handle the requested domain name at the targeted IP address. This may happen when DNS records change. Keep in mind that DNS TTL determines how long a record is valid in the DNS cache.
- The server at the origin is overloaded or unreachable at the time the request was made. This could be due to the server crashing, traffic spikes, or lack of connectivity to the server.
- An application or service used at your origin is either timing out or being blocked.
If the error includes Cloudflare branding, then it's coming directly from the origin server:
In the unlikely to see a 502 error without the branding shown above but with “cloudflare” (see image below). If you see the error version shown below, file a support ticket immediately and include the output of your site CND trace (go to yoursite.com/cdn-cgi/trace and copy/paste the contents). This means there are potential issues at the local Cloudflare data center.
503 Service Unavailable (RFC7231)
The origin web server is overloaded or having maintenance issues and unable to handle the request at this time.
The retry header may be included by the server to specify an appropriate time for the client to retry the request.
Note that not all web servers will serve this response. Some will simply refuse or drop the connection. If a drop in communication happens from the origin web server to Cloudflare, a 522 error response is generated.
Cloudflare will serve a 503 under the following circumstances:
- A 503 is returned from your origin web server.
- I’m Under Attack mode is enabled.
- The Always Online feature was triggered.
For more Cloudflare relevant information see: Why am I getting a 503 Error?
504 Gateway Timeout (RFC7231)
This error might appear while connecting to an upstream server on the backend. A gateway or proxy is trying to reach the origin web server and while waiting for a response, the connection timed out.
505 HTTP Version Not Supported (RFC7231)
The origin web server cannot or does not wish to support the HTTP version requested by the client.
The server should indicate why it would not support that version.
Cloudflare Specific Status Codes
In order to help website owners determine why a user’s request that was proxied through Cloudflare resulted in an error, Cloudflare implements custom HTTP status codes. The status codes add human-readable details to what is going on with the backend.
Cloudflare generates an entire response and messaging when one of the error conditions is met. The behavior of the origin web server toward a Cloudflare request is what determines which of these status codes will be used; however, the status code is not delivered from the origin web server.
Paying customers can customize and brand these error pages. Having custom error pages helps provide a consistent experience for your users, even in the event of a page load error. Read more about Custom Error Pages.
520 Unknown Error from Web Server
This is a catch-all response for when the origin web server returns something unexpected or something that is not tolerated/interpreted (protocol violation or empty response).
While the 520 error can be triggered by very unique and strange edge-case scenarios, they are generally caused by:
- Connection resets (following a successful TCP handshake)
- Headers exceed the Cloudflare header size limit (over 8kb)
- An empty response from origin
- An invalid HTTP response
- Missing response headers from an HTTP response
- Presence of multiple
521 Web Server is down
This error response indicates the origin web server refused the connection from Cloudflare. This means Cloudflare tried to connect to your origin web server on port 80 or 443 but received a connection refused error. The origin web server is actively refusing the request, so this is not a network error.
522 Connection Timed Out
This Error response occurs when establishing a TCP connection with the origin web server and Cloudflare.
When someone visits a Cloudflare-enabled website, a connection is established between Cloudflare and the site's origin web server. To establish a connection, TCP uses a three-way handshake.
- SYN: Cloudflare sends three SYN packets to the origin server.
- SYN+ACK: In response, the origin server replies with a SYN+ACK.
- ACK: Finally, Cloudflare sends an ACK back to the origin server.
At this point, both Cloudflare and the origin server have received an acknowledgement that the connection and communication was established. If the origin web server does not send a SYN+ACK back to Cloudflare within 15 seconds, a 522 error will occur and the connection is closed.
The diagram below illustrates a successful TCP handshake:
523 Origin is Unreachable
Error 523 indicates that an issue with the origin web server has occurred and the site is unreachable.
524 A timeout occurred
Cloudflare was able to make a TCP connection to the origin, but the origin did not reply with an HTTP response before the connection timed out. The Cloudflare edge will typically wait for an HTTP response from your server for 100 seconds.
If no response is sent by your server in that time, we close the connection and serve a 524 error page.
525 SSL handshake failed
This error indicates that a failure in the SSL handshake between Cloudflare and the origin server that hosts the domain has occurred. This means that Cloudflare is set to use Full SSL in the Cloudflare settings for the domain, so Cloudflare attempts to make a connection using SSL (for requests beginning in https://) to the web server that hosts the domain.
526 Invalid SSL certificate
This error happens where there's a problem validating the SSL certificate on the origin web server and the Cloudflare SSL configuration on the website is set to "Full SSL (Strict)".
More information at Error 526: Invalid SSL Certificate.
527 Railgun Listener to Origin Error
The request timed out or failed after the WAN connection had been established. This could result from an interruption or anomaly upstream from the Railgun Sender in the path to the Listener at the site origin web server.
527 error could also occur due to an issue within the host environment when the Railgun Listener is unable to complete or establish a connection to the origin web server to receive a requested page.
530 Origin DNS Error
Cloudflare cannot resolve the A or CNAME DNS record requested. Even if Cloudflare’s Anycast address is resolving correctly, the record that should be specified in the DNS app of your Cloudflare dashboard cannot be found or is a CNAME record to an external domain that cannot be resolved.
The Error Message the browser will see will show a 1016 error, but the actual HTTP response code is 530.
More information at Error 530: Origin DNS Error.