When you visit a website using Cloudflare, you may receive an error 521. This error occurs because the origin web server refused the connection from CloudFlare.
A 521 error occurs because the origin web server refused the connection from Cloudflare. This means we tried to connect to your origin on port 80 or 443 but received a 'connection refused' error.
This commonly happens under two conditions:
- The origin web server process (e.g. Apache or Nginx) isn't running, or has crashed. You should check that your web server is running normally. You may also wish to check your server's error logs to see what caused this. If you are not sure how to do this, or don't have access to your logs, your host should be able to advise you.
- Something on the web server or hosting provider's network is blocking Cloudflare's requests. Since Cloudflare acts as a reverse proxy, all connections to your server come from a Cloudflare IP. Since the same amount of traffic now comes from a smaller number of IPs, server-side security solutions can mistake the increase in connections from this smaller set of IPs as an attack, when they are legitimate. This leads to some of our IPs being blocked or rate-limited.
It's a good idea to ensure that all of our IP ranges are whitelisted in your server's firewall or any security software that you might be running. Our IP ranges can be found here:
Advanced users: How to test against your server
You can test whether your origin is responding by using the ‘curl’ command (accessible via Terminal on Mac OSX or Linux). curl allows you to simulate a HTTP request, so is a good tool for checking that your origin server is working properly.
You should run a curl against your server IP (i.e. the A record or CNAME for your domain, as seen in the Cloudflare DNS page).
curl http://220.127.116.11 -v
If this is working, you should expect to see a “HTTP 200” response and the HTML of your website. A failed curl will look like this:
# curl 18.104.22.168
curl: (7) Failed to connect to 22.214.171.124 port 80: Connection refused
Windows users can also test to see if they are able to make a connection using telnet (via the Command Prompt). The command you’d run would look something like this:
telnet 126.96.36.199 80
You should change 188.8.131.52 to be the origin IP of your server. If you get an error, such as “Unable to connect to remote host: Connection refused” this means your web server isn’t running, or is blocking requests.
A failed telnet (with a refused connection) would look like this:
# telnet 184.108.40.206 80
telnet: connect to address 220.127.116.11: Connection refused
telnet: Unable to connect to remote host