521 Error Causes and Solutions: Cloudflare Cannot Connect to Source Site

When visiting the website and encountering 521 Error(Web Server Is Down)This means that the browser has successfully connected to Cloudflare, but Cloudflare is unable to connect to your web server (the source site). This is not a problem with Cloudflare, but with the source site.server (computer)The connection was refused or could not be established.

I. Common manifestations of 521 errors

Accessing the website: "Error 521: Web server is down".
Cloudflare panel status is normal, DNS configuration is fine
Using a browser or command line curl Test shows connection failure

Common Causes of 521 Errors

1. Source server not running

Apache, Nginx, or other web services do not start or crash

Service does not start automatically after system reboot

prescription::

Common commands: systemctl status nginx systemctl start nginx

2. Firewalls are blocking Cloudflare IP

on the source serverfirewalls(e.g. UFW, iptables, CSF, etc.) blocked Cloudflare's request IP
The server considers Cloudflare access as an attack and automatically blocks the

prescription::

Ensure that all IPs in Cloudflare have been added to the firewall whitelist
Official IP address segment reference:https://www.cloudflare.com/ips/

Add a sample command (using UFW as an example): sudo ufw allow from 173.245.48.0/20 sudo ufw allow from 103.21.244.0/22

3. Misconfiguration of the port or IP on which the website listens

The web service listens to the local IP (e.g. 127.0.0.1), not the public IP
Configuration file restricts certain ports or connection sources

prescription::

Check the listening configuration of Nginx/Apache, such as listen 80. maybe listen [IP]:80.
Modified to: listen 80; server_name yourdomain.com;

4. Incompatible SSL settings

Incompatible encryption modes are enabled between Cloudflare and the source station
Source station not correctConfiguring SSLBut Cloudflare enables "full" or "strict" encryption.

prescription::

Set the encryption mode to:
- Flexible: No HTTPS at source
- Full: The source site supports HTTPS but the certificate is not trusted.
- Strict: Source stations have valid certificates

5. Temporary network outages or overloads

CPU and memory usage of the source station is too high, and it cannot respond.
Temporary data center outages

prescription::

Checking server resource utilization top / htop
Restart the server to try to recover

III. How to Diagnose 521 Errors

Use the command line to test if the source station is online: curl -I http://yourdomain.com curl -I http://your_server_ip
probeFirewall logsWhether to block Cloudflare IP
View Server Web Service Log:: tail -f /var/log/nginx/error.log

IV. Summary recommendations

Ensure that the server Web services are functioning properly
Add all Cloudflare IPs to the firewall whitelist
Check listening configuration and port settings
Correctly Configure SSL Mode Matching
521 occurrences can be quickly pinpointed with the curl, self-test command.

If you are using Tencent Cloud or Ali Cloud,pagodaYou can check the firewall settings and web service status from the panel. If you are still unable to troubleshoot the issue, we recommend temporarily suspending Cloudflare (the direct connection to the source site) to confirm if the issue is with the server.

Contact Us
Can't read the tutorial? Contact us for a free answer! Free help for personal, small business sites!	Customer Service
① Tel: 020-2206-9892
② QQ咨询：1025174874
(iii) E-mail: info@361sale.com
④ Working hours: Monday to Friday, 9:30-18:30, holidays off