When a website has Cloudflare enabled as a reverse proxy, access to the site occasionally encounters the Error 521: Web server is down. This type of error indicates Cloudflare It is possible to connect to the client, but a connection to the source (your server) cannot be successfully established.
![Image [1] - Firewall setting error triggers Cloudflare 521 error?](https://www.361sale.com/wp-content/uploads/2025/05/20250523190512629-image.png)
In addition to the common problems of web services not starting, misconfiguration, etc., many people overlook another possible root cause:The local host'sfirewallsset upIn this article, we will analyze the impact of firewalls (e.g. UFW, iptables) on Cloudflare access links and give reasonable troubleshooting recommendations. This paper will focus on this topic and analyze the impact of firewalls (e.g., UFW, iptables) on Cloudflare access links and give reasonable troubleshooting recommendations.
What is Error 521?
Error 521 is a specific error code given by Cloudflare to indicate that its attempts to connect to the source station were rejected. Example:
- Cloudflare has successfully resolved the domain name
- Client requests arrive at Cloudflare edge nodes normally
- Cloudflare reverse connection to the source IP fails or is denied.
![Image [2] - Can incorrect firewall settings trigger a Cloudflare 521 error?](https://www.361sale.com/wp-content/uploads/2025/06/20250605170439489-image.png)
This usually indicates that the source station web serviceUnreachable, not a DNS problem or a non-existent page.
Does a firewall affect Cloudflare?
The answer is yes. Cloudflare's requests come from its global nodes (not browser-side IPs), and if the firewall doesn't let them through, it simply denies the connection, triggering a 521 error.
The following two scenarios are very common:
Scenario 1: UFW blocks the Cloudflare IP
UFW is a common firewall management tool in Ubuntu. If no inbound rules are set for Cloudflare's IP, requests may be dropped or denied by default.
![Image [3] - Can incorrect firewall settings trigger a Cloudflare 521 error?](https://www.361sale.com/wp-content/uploads/2025/06/20250605164357942-image.png)
Common configuration misunderstandings are listed below:
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow 80
Although port 80 is open, if Cloudflare's IP source is not explicitly accepted, it may still be DROPPED, causing the connection to drop.
Scenario 2: iptables actively drops external CDN requests
some ofserver (computer)Using customization iptables Rules reinforce security controls. If the rule contains the following statement:
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j DROP
Even if the web service is running, it will be blocked from Cloudflare's reverse generation connection because the IP source is not in the whitelist.
The right way to set up a firewall
To avoid Cloudflare being blocked by firewalls, it is recommended that you do the following:
Get all Cloudflare edge node IPs
Cloudflare periodically updates its node IP segments at the following official addresses:
https://www.cloudflare.com/ips/
![Image [4] - Can incorrect firewall settings trigger a Cloudflare 521 error?](https://www.361sale.com/wp-content/uploads/2025/05/20250523165447251-image.png)
Includes IPv4 and IPv6 segments.
UFW Example Configuration:
# reset rules (test environment operation only, online please be careful)
sudo ufw reset
# Enable default deny
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow Cloudflare IP segments
for ip in $(curl https://www.cloudflare.com/ips-v4); do sudo ufw allow from $ip to any port 80; done
for ip in $(curl https://www.cloudflare.com/ips-v6); do sudo ufw allow from $ip to any port 80; done
# Enable firewall
sudo ufw enable
iptables Example configuration:
# allows Cloudflare IP segments to access ports 80 and 443
for ip in $(curl https://www.cloudflare.com/ips-v4); do iptables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT; done
for ip in $(curl https://www.cloudflare.com/ips-v4); do iptables -A INPUT -p tcp -s $ip --dport 443 -j ACCEPT; done
Note: The above scripts should be used in conjunction with a firewall persistence tool (e.g. iptables-persistent) to avoid invalidating the rules after a reboot.
Other possible causes of Error 521
In addition to firewalls, Error 521 can be caused by the following factors:
- Web service processes are not started (e.g. Nginx(Apache stopped)
- Website binding IP does not match Cloudflare DNS configuration
- Excessive host load, abnormal port listening
- Conflicting SSL configurations at the source (Cloudflare is in Full Strict mode but not configured with a valid certificate)
![Image [5] - Firewall setting error triggers Cloudflare 521 error?](https://www.361sale.com/wp-content/uploads/2025/06/20250605165803596-image.png)
It is recommended to synchronize the investigation from the service status, listening ports, and server logs.
summarize
Cloudflare Error 521 Essentially it is a result of the source station refusing to connect. Improper firewall configuration, especially not releasing all Cloudflare edge node IPs, is a common cause of this error. Most Error 521 errors can be resolved by opening the specified IP segments appropriately and ensuring that the web service is running stably.
Recent Updates
Link to this article:https://www.361sale.com/en/57645The article is copyrighted and must be reproduced with attribution.
![Emoji[wozuimei]-Photonflux.com | Professional WordPress repair service, worldwide, rapid response](https://www.361sale.com/wp-content/themes/zibll/img/smilies/wozuimei.gif)
![Emoticon[baoquan] - Photon Wave Network | Professional WordPress Repair Services, Worldwide Coverage, Rapid Response](https://www.361sale.com/wp-content/themes/zibll/img/smilies/baoquan.gif)
简体中文 
English 
日本語 
Français 
Español 
No comments