Introduction

A Cloudflare 521 error means Cloudflare could contact the origin IP address, but the web server refused the connection. Unlike a DNS error, this usually points to a stopped web service, a closed port, or a firewall policy rejecting the edge request.

Symptoms

  • Cloudflare displays 521 Web Server Is Down
  • The hostname resolves correctly but proxied traffic fails
  • The server may respond locally while refusing external requests
  • The issue started after a restart, deploy, or firewall change
  • Web server logs are quiet because the request never reaches the app layer

Common Causes

  • Nginx, Apache, or another web service is stopped or unhealthy
  • The service is bound to localhost instead of the public interface
  • A firewall blocks port 80 or 443 for Cloudflare requests
  • The origin IP changed and Cloudflare points to the wrong server
  • Connection limits or security software reject edge traffic as hostile

Step-by-Step Fix

  1. Confirm the origin IP in Cloudflare matches the current server handling the site.
  2. Check whether the web server process is running and listening on the expected interface and port.
  3. Test the origin locally and from an external network so you can see whether the refusal is global or edge-specific.
  4. Review firewall, security group, and host-based security rules for blocked Cloudflare IP ranges or closed ports.
  5. If the server recently restarted, inspect startup logs for bind failures, certificate errors, or misread configuration files.
  6. Verify reverse proxy and upstream services are healthy so the listener does not accept connections only to fail immediately.
  7. Correct the listener, reopen the required port, or restart the web service after fixing the underlying configuration problem.
  8. Re-test through Cloudflare and confirm the hostname now returns a normal HTTP response.
  9. Document the expected origin IP, listening ports, and firewall policy so future server changes stay aligned.