Web Server Is Down
Production Risk
Critical — the website is completely down for all users behind Cloudflare.
521 Web Server Is Down is a Cloudflare-specific error indicating that Cloudflare successfully connected to the client but the origin web server refused the connection from Cloudflare. The origin server is running but actively refusing connections.
- 1The origin web server (nginx/Apache) is stopped or crashed.
- 2The origin server's firewall is blocking connections from Cloudflare's IP ranges.
- 3The origin server is listening on a different port than Cloudflare is attempting to connect to.
- 4The origin server has reached its connection limit and is refusing new connections.
The origin nginx process crashes; Cloudflare gets connection refused on all subsequent requests.
# Cloudflare attempts to connect to origin # TCP connection refused (ECONNREFUSED)
expected output
HTTP/1.1 521 Web Server Is Down
Fix 1
Restart the origin web server
WHEN The server process is stopped or crashed.
sudo systemctl restart nginx # or sudo systemctl restart apache2
Why this works
Brings the origin server back online so it can accept Cloudflare's connections.
Fix 2
Allowlist Cloudflare IP ranges on the origin firewall
WHEN The server is running but the firewall is blocking Cloudflare.
# UFW example for ip in $(curl -s https://www.cloudflare.com/ips-v4); do ufw allow from $ip to any port 80,443 done
Why this works
Permits Cloudflare's egress IPs to reach the origin server.
✕ Do not expose the origin server's real IP publicly
Attackers can bypass Cloudflare and hit the origin directly if they discover its IP.
Cloudflare-specific. Distinct from 520 (unknown error) — 521 means the TCP connection was actively refused.
Cloudflare 5xx error documentation
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#521 ↗Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev