Introduction

Cloudflare 523 means the edge can resolve where your origin should be, but it cannot complete a route to that server. This is different from a certificate problem or a slow application. The fix usually lives in origin IP correctness, firewall rules, upstream routing, or a host-side network issue.

Symptoms

  • Cloudflare returns 523 while the site previously worked through the proxy
  • The origin may still respond from some networks but not through Cloudflare
  • Recent DNS or server IP changes happened before the outage
  • Hosting status pages or network tools show routing instability
  • Firewall changes were made on the server or provider side

Common Causes

  • The DNS record in Cloudflare points to an old or incorrect origin IP
  • The origin server was moved and Cloudflare is still targeting the previous address
  • Firewalls, security groups, or upstream filters block Cloudflare edge traffic
  • The hosting provider has a routing problem between Cloudflare and the origin network
  • The origin IP is private, withdrawn, or otherwise not reachable from the public internet

Step-by-Step Fix

  1. Confirm which origin IP address Cloudflare is currently targeting and compare it with the actual active server IP in your hosting environment.
  2. Test direct reachability to the origin IP from outside your infrastructure so you can tell whether the path is broadly broken or only failing through Cloudflare.
  3. Check whether the site recently migrated, changed providers, or rotated IPs and update the DNS record in Cloudflare if it still points to an old address.
  4. Review server firewalls, cloud security groups, and provider ACLs to make sure Cloudflare traffic is not blocked unintentionally.
  5. Verify the origin IP is public and routable and not an internal address, suspended instance, or detached floating IP.
  6. Ask the hosting provider to investigate upstream routing if the server is healthy but outside networks still cannot reach it consistently.
  7. If you need temporary confirmation, test with Cloudflare paused or via direct host header requests without leaving the site in that state longer than necessary.
  8. Re-enable normal proxying and re-test from multiple regions after correcting the origin IP or routing issue.
  9. Keep an inventory of current production IPs and DNS ownership so future migrations do not strand Cloudflare on an unreachable origin.