Error 521 occurs because the origin web server refuses a connection from Cloudflare. More specifically, Cloudflare tried to connect to your origin server on port 80 or 443 but received a connection refused error.
The two most common causes leading to Error 521 are:
The web server is offline
The origin web server process (e.g., Apache or Nginx) might not be running or has crashed. In that case:
- Ensure your web server is running normally.
- Review the server's error logs to see what is causing the error.
If you're unable to perform these tasks, contact your host provider.
Cloudflare requests are blocked
The origin web server or hosting provider's network might be blocking Cloudflare's requests.
As a reverse proxy, Cloudflare connects to your server from a Cloudflare IP and all subsequent traffic comes exclusively from a smaller set of Cloudflare IPs. As a result, certain server-side security solutions might mistake the increase in legitimate connections from this smaller set of IPs as an attack. This results in some Cloudflare IPs being blocked or rate-limited.
To resolve this issue, whitelist all Cloudflare IP ranges in your server's firewall or any other security software at the origin. See the list of Cloudflare IP ranges.
If you're unable to whitelist Cloudflare IPs, contact your host provider.
Troubleshoot Error 521
You can use third-party tools like cURL or Telnet to test origin server response.
Test with cURL
cURL allows you to simulate a HTTP request, so it is a good tool for checking that your origin server is working properly. You can run cURL via the Terminal command line tool on Mac OS or Linux.
Run a cURL command against your server IP using the A record or CNAME for your domain shown in the DNS app of the Cloudflare dashboard.
curl http://18.104.22.168 -v
If successful, you should see an HTTP 200 response along with the HTML of your website. A failed cURL request looks similar to this:
# curl 22.214.171.124
curl: (7) Failed to connect to 126.96.36.199 port 80: Connection refused
Test with Telnet
Windows users can test a connection using Telnet (via the Command Prompt).
Run a command similar to this:
telnet 188.8.131.52 80
An error, such as:
Unable to connect to remote host: Connection refused
means that your web server isn’t running or is blocking requests.
A refused connection error would look similar to this:
# telnet 184.108.40.206 80 Trying 220.127.116.11... telnet: connect to address 18.104.22.168: Connection refused telnet: Unable to connect to remote host