A 522 error means we were unable to reach the origin web server at all.
There are a few main causes of this:
- The origin server was too overloaded to respond.
- The origin web server has a firewall that is blocking our requests, or packets are being dropped within the host’s network.
- The origin web server is offline, or the IP address set for it in the DNS settings with us incorrect (i.e. the request from us was to sent to the wrong place).
- There is a network routing issue between us and the origin web server.
- The origin server has keepalives disabled.
In all these cases, it’s worth checking that the origin web server is active and accepting HTTP requests before going further here, and also that the DNS settings in your account with us are set correctly.
The origin server was too overloaded to respond
Ensure that the origin server isn’t overloaded. If it is, it could be dropping requests. Generally speaking, a good thing to check is the load average. On Linux/Unix, you can check that by running the command ‘w’ on the command line, or by checking using the ‘top’ command. What constitutes a high load based on the load value can differ depending on the computer and the software running on it, but generally speaking a load average of over 10-20 or so could mean that the server is overloaded. It’s best to check with your hosts or a system administrator about this if you are unsure.
The origin has a firewall (or rate-limiter) that is blocking our requests
This is the most common cause of intermittent 522 errors. Key things to check initially are-
- Make sure that you're not blocking CloudFlare IPs in .htaccess, iptables , or your firewall.
- Make sure your hosting provider isn't rate limiting or blocking IP requests from the CloudFlare IPs and ask them to whitelist the IP addresses mentioned at the address http://www.cloudflare.com/ips
When traffic flows through CloudFlare for a website, the origin will initially see the requests as coming from us. Most of the requests for the website through CloudFlare will appear to come from only a handful of our IP addresses. Because of that, this can often trigger firewalls and IP rate-limiters to block requests from us, thinking that the website is under attack. CPHulk (which comes with cPanel) and other services have been known to do this. Top stop that from happening, make sure that the IP addresses mentioned here have been whitelisted, or disable the rate-limiter altogether.
There is a network routing issue between CloudFlare and the origin web server
This is is more difficult to troubleshoot than the other causes, and it’s best to make sure that the other potential causes have been ruled-out before checking this. If you believe this is the case, please raise a support ticket with our support team. Useful information to provide with this would be-
- Information on what you have checked so far.
- An MTR or traceroute from your server to one of our IP addresses, preferably to one of the IP addresses you have seen requests from us in the past. You can find more information on how to run an MTR or Traceroute here.
The origin server has keepalives disabled
CloudFlare uses the Keep-Alive header to improve performance. Disabling it will cause connections from to fail and return 522s in some circumstances. This feature is enabled by default in current versions of most major web servers, so unless you've explicitly disabled it, this shouldn't be an issue.
What actually triggers a 522 error?
A 522 error response is returned when CloudFlare could not establish a TCP connection to the website’s origin server.
When someone visits a CloudFlare-enabled website, a connection is established between CloudFlare and the website's origin server. To establish a connection, TCP uses a three-way handshake.
- SYN: CloudFlare sends three SYN packets to the origin server.
- SYN+ACK: In response, the origin server replies with a SYN+ACK.
- ACK: Finally, CloudFlare sends an ACK back to the origin server.
At this point, both CloudFlare and the origin server have received an acknowledgement of the connection and communication is established. If the origin server does not send a SYN+ACK back to CloudFlare within 15 seconds, a 522 error will occur and the connection is closed.
Here is a diagram illustrating a successful TCP handshake:
Here is an example where the SYN+ACK is not returned from the origin server within 15 seconds, triggering the 522 timeout:
Another condition for the 522 timeout occurs when the origin responds with a SYN+ACK and established a TCP connection, but never responds to the request with an ACK within 90 seconds (A 524 condition ACKs the request, but waits too long to send the response). Here is an illustration detailing this scenario:
Checking for these conditions with your server administrator or hosting provider is the best way to resolve these errors. If there is a network problem, a traceroute or MTR from the site origin can be useful (linked to below).
If you continue to see 522 errors after ruling out the aforementioned possibilities and troubleshooting the issue, contact CloudFlare Support for further investigation.