Introduction

A Cloudflare 522 error means Cloudflare could not establish or complete a timely TCP connection to the origin. DNS and the Cloudflare edge are usually fine. The failure happens between Cloudflare and your server, which points to origin downtime, overload, firewall rules, or network path trouble.

Symptoms

  • Visitors see 522 Connection timed out from Cloudflare
  • The error appears only when the proxy is enabled
  • Direct origin tests may be slow, intermittent, or unavailable
  • The problem started during traffic spikes, maintenance, or firewall changes
  • Server metrics show high resource usage or exhausted workers

Common Causes

  • The origin server is down, overloaded, or not listening on the expected port
  • Firewall rules block or challenge Cloudflare IP ranges
  • Long-running requests or saturated workers prevent timely responses
  • Network routing issues between Cloudflare and the hosting provider cause connection timeouts
  • A recent migration changed origin IPs without updating all records or services

Step-by-Step Fix

  1. Confirm the origin server is online and listening on the expected HTTP or HTTPS ports from outside the host itself.
  2. Check web server, PHP-FPM, application, and system metrics for CPU, memory, or worker exhaustion during the incident window.
  3. Verify firewall, security group, host-based security, and rate-limit rules allow Cloudflare IP ranges to reach the origin.
  4. Test the origin directly from another network to separate general origin downtime from a Cloudflare-specific path issue.
  5. Review recent deploys, migrations, or restarts that may have changed ports, upstream bindings, or server IP addresses.
  6. Reduce overload by restarting stuck services, scaling capacity, or terminating runaway requests only after identifying the bottleneck.
  7. Confirm DNS records in Cloudflare still point to the correct live origin address.
  8. Re-enable proxy traffic and monitor response times and logs to ensure the connection stays stable under normal load.
  9. Add alerting on origin saturation and blocked edge IPs so future 522 incidents are caught earlier.