Error 521 occurs because the origin web server refuses a connection from Cloudflare. More specifically,

Cloudflare tried to connect to your origin server on port 80 or 443 but received a connection refused error.



Error 521


Common causes

The two most common causes leading to Error 521 are:


The web server is offline

The origin web server process (e.g., Apache or Nginx) might not be running or has crashed. In that case:

  • Ensure your web server is running normally.
  • Review the server's error logs to see what is causing the error.


If you're unable to perform these tasks, contact your host provider.



Cloudflare requests are blocked

The origin web server or hosting provider's network might be blocking Cloudflare's requests.


As a reverse proxy, Cloudflare connects to your server from a Cloudflare IP and all subsequent traffic comes exclusively from a smaller set of Cloudflare IPs. As a result, certain server-side security solutions might mistake the increase in legitimate connections from this smaller set of IPs as an attack. This results in some 

Cloudflare IPs being blocked or rate-limited.


To resolve this issue, allowlist all Cloudflare IP ranges in your server's firewall or any other security software at the origin. See the list of Cloudflare IP ranges.


If you're unable to allowlist Cloudflare IPs, contact your host provider.


Troubleshoot Error 521

You can use third-party tools like cURL or Telnet to test origin server response. 

 

For the example commands shown below, you need to replace IP address 1.2.3.4 with the IP address of your origin server. Also, you can run these tests against port 443.



Test with cURL

cURL allows you to simulate a HTTP request, so it is a good tool for checking that your origin server is working properly. You can run cURL via the Terminal command line tool on Mac OS or Linux. 


Run a cURL command against your server IP using the A record or CNAME for your domain shown in the DNSapp of the Cloudflare dashboard.

curl http://1.2.3.4 -v


If successful, you should see an HTTP 200 response along with the HTML of your website. A failed cURL request looks similar to this:

# curl 1.2.3.4
curl: (7) Failed to connect to 1.2.3.4 port 80: Connection refused


Test with Telnet

Windows users can test a connection using Telnet (via the Command Prompt).


Run a command similar to this:

telnet 1.2.3.4 80


An error, such as:

Unable to connect to remote host: Connection refused

means that your web server isn’t running or is blocking requests.


A refused connection error would look similar to this:

# telnet 1.2.3.4 80 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host