Introduction

Cloudflare error 522 occurs when Cloudflare's edge server establishes a TCP connection to your origin server but does not receive a response within 15 seconds (for initial connection) or 90 seconds (for established connections). Unlike error 521 (Connection Refused), the 522 error means the TCP handshake succeeds but the origin is too slow to respond. This is typically caused by server overload, resource exhaustion, or firewall rules that accept connections but drop the data.

Symptoms

  • Browser displays Error 522 Ray ID: xxx: Connection timed out
  • Cloudflare dashboard shows 522 errors for specific requests
  • Origin server is up and accessible directly (bypassing Cloudflare)
  • Server load average extremely high during 522 error period
  • Cloudflare IP ranges can reach the server but responses are delayed or absent

Common Causes

  • Origin server overwhelmed by traffic, unable to accept new connections
  • Firewall accepting TCP SYN but dropping subsequent packets (stateful inspection issue)
  • Web server process pool exhausted (all workers busy)
  • Database connection pool depleted causing request queuing
  • DDoS attack consuming all server resources

Step-by-Step Fix

  1. 1.Verify the origin server is accessible directly:
  2. 2.```bash
  3. 3.# Bypass Cloudflare by resolving the origin IP
  4. 4.dig origin.example.com A +short
  5. 5.curl -H "Host: www.example.com" http://<origin-ip>/
  6. 6.# If this works, the origin is up but Cloudflare cannot reach it in time
  7. 7.`
  8. 8.Check if Cloudflare IPs are being blocked by firewall:
  9. 9.```bash
  10. 10.# Get Cloudflare IP ranges
  11. 11.curl -s https://www.cloudflare.com/ips-v4
  12. 12.# Check if your firewall allows these ranges on port 80/443
  13. 13.sudo iptables -L INPUT -n | grep -E "80|443"
  14. 14.`
  15. 15.Check server resource utilization:
  16. 16.```bash
  17. 17.top -bn1 | head -15
  18. 18.free -m
  19. 19.# Check if web server workers are all busy
  20. 20.sudo systemctl status nginx
  21. 21.# For Apache:
  22. 22.apachectl status
  23. 23.`
  24. 24.Check connection queue and backlog:
  25. 25.```bash
  26. 26.# Check SYN backlog
  27. 27.cat /proc/sys/net/ipv4/tcp_max_syn_backlog
  28. 28.# Check established connections from Cloudflare IPs
  29. 29.ss -tnp | grep -c ESTAB
  30. 30.# Check if listen queue is full
  31. 31.ss -ltn | grep ":80|:443"
  32. 32.`
  33. 33.Restart the web server if it is stuck:
  34. 34.```bash
  35. 35.sudo systemctl restart nginx
  36. 36.# Or for Apache:
  37. 37.sudo systemctl restart apache2
  38. 38.`
  39. 39.Configure Cloudflare-specific firewall rules to ensure connectivity:
  40. 40.```bash
  41. 41.# Allow Cloudflare IPs
  42. 42.for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
  43. 43.sudo iptables -I INPUT -p tcp -s $ip --dport 443 -j ACCEPT
  44. 44.sudo iptables -I INPUT -p tcp -s $ip --dport 80 -j ACCEPT
  45. 45.done
  46. 46.sudo iptables-save
  47. 47.`

Prevention

  • Configure firewall to only accept HTTP/HTTPS traffic from Cloudflare IP ranges
  • Monitor server load and set alerts before resources are exhausted
  • Use Cloudflare's "I'm Under Attack Mode" during DDoS events
  • Configure web server worker/process limits appropriate for your server capacity
  • Use Cloudflare caching to reduce origin server load for static content