Saturday, December 28, 2024
Google search engine
HomeGuest BlogsError 521: What Causes It and How to Fix It

Error 521: What Causes It and How to Fix It

Introduction

The error message ā€œError 521: Web server is downā€ indicates an issue with the server. That is Cloudflareā€™s error message when the origin server does not respond to Cloudflareā€™s request.

This guide explainsĀ common causes and provides methods to troubleshoot and resolve error 521.

how to fix cloudflare error 521: web server is downhow to fix cloudflare error 521: web server is down

Prerequisites:

  • Access to the Cloudflare account associated with the domain affected by the error.
  • Origin web server access.

What Is Error 521?

When a user wants to visit a website that uses Cloudflareā€™s content delivery network (CDN), the following happens:

  1. The web browser attempts to connect to Cloudflare, and
  2. Cloudflare tries to connect to the origin web server to display the content.

Error 521 occurs when Cloudflare is unable to connect to the websiteā€™s origin server.

Cloudflare Error 521 Web server is downCloudflare Error 521 Web server is down

What Causes Error 521?

The following issues cause Error 521: Web server is down:

  • Origin web server is offline. The server is either offline or there is an issue with Apache or Nginx.
  • Blocked/blacklisted Cloudflare IP addresses. All connection requests come via Cloudflareā€™s IPs. The origin server might have a server-side security configuration that blocks an IP address if it sends too many requests.
  • Configuration issues with the origin web server. Servers must be specifically configured to work with a CDN. Error 521 might be due to a misconfigured server.
  • Dropped packets due to Apache modules for Slowloris Denial of Service prevention. Security modules for Apache may block requests coming from Cloudflare if not configured properly.

How to Troubleshoot and Fix Error 521

Follow the steps below to troubleshoot and resolve error 521.

1. Check the Origin Server

To troubleshoot Cloudflareā€™s error 521, first check whether the origin server is online. This can be done by checking the serverā€™s HTTP status code.Ā 

There are several ways to check the HTTP status of a website, outlined below.Ā 

Check HTTP Status Using cURL

Open the command prompt as an administrator (or terminal if you are using Mac or Linux), and run the curl command:Ā 

curl --silent --output /dev/null --write-out "%{http_code}" https://example.site 

The additional curl command options do the following:

  • --silent ā€“ Hides the progress bar (does not print the process of fetching the information).
  • --output ā€“ Prints an output.
  • /dev/null ā€“ Suppress printing the entire HTML body.
  • --write-outĀ ā€œ%{http_code}ā€ ā€“ Specifies the requested data/header to print the HTTP status code.

The output returns HTTP status code 200 if the server is up and running. A 5xx HTTP status code (for example, 500 ā€“ internal server error) indicates an issue with the origin server.Ā 

how to use the curl command to check a server's http statushow to use the curl command to check a server's http status

Check HTTP Status via Online HTTP Header CheckerĀ 

Open any online HTTP header checker and paste the websiteā€™s URL or IP address into the designated field.Ā 

The result will be similar to the following image.Ā The HTTP 200 status code indicates the server is up and running.

how to check http status code using aonline http header checkerhow to check http status code using aonline http header checker

Review Origin Server Error LogsĀ 

If the output returns an 5xx HTTP status code (server-side errors), review the serverā€™s error log to try and identify the root cause of the issue.

Server error logs can be accessed:

  • Using a graphical user interface (for servers managed with a server management application)
  • Via the terminal.

If you are using the terminal to access Apache server error logs, the following are the default locations for different Linux distributions:

  • FreeBSD ā€“ /var/log/httpd-error.log
  • Debian and Ubuntu ā€“ /var/log/apache2/error.log
  • RHEL, Red Hat, CentOS, and Fedora ā€“ /var/log/httpd/error_log

Nginx error logs on the most popular Linux distributions, such as Ubuntu, Debian and CentOS, are located in /var/log/nginx.

Note: The user accessing the log must have write access to the error log directory.

If web server error logs are inaccessible to you, contact your hosting provider.Ā 

2. Whitelist Cloudflare IP Addresses and Ports

Cloudflare is the mediatorĀ between a private firewall and origin server. Every connection attempt made to a web page is processed by Cloudflare and directed to the origin server via a set of IP addresses and through specific network ports.Ā 

For Cloudflare to work properly, it must be able to communicate with the origin server without any interference. Error 521 will occur if the connection between Cloudflare and the origin server is interfered by the following:

  • IP deny rules specified in .htaccess.
  • Firewall rules that restrict communication with Cloudflare.
  • Disabled ports through which Cloudflare communicates with the origin server.
  • Rate limiting and other types of of server-side restrictions.

These issues can be resolved by:

  • Checking .htaccess and firewall rules.
  • Whitelisting Cloudflare IPs.
  • Enabling the right ports.

Important: Some hosting providers whitelist Cloudflare IPs by default. Consult your hosting provider before troubleshooting.

Whitelist IP Addresses via .htaccess

To whitelist Cloudflareā€™s IP addresses in the .htaccess file, add all the addresses in the line starting with allow from all and separate individual IP addresses with spaces.Ā 

how to whitelist ip addresses via .htaccesshow to whitelist ip addresses via .htaccess

Note: If you need help creating and editing the .htaccess file, refer to our guides How to Create & Edit the Default WordPress .htaccess File and How to Enable & Set Up .htaccess File on Apache.

Whitelist IP Addresses via Firewall

The process of whitelisting IP addresses will vary from one firewall to another. As an example, this guide focuses on updating iptables rules. For other popular firewalls, refer to our articles on How to Use firewalld on CentOS 7 and How to Set Up UFW on Ubuntu.

To allow incoming connections from Cloudflareā€™s IP addresses in iptables:Ā 

  1. Open the Linux terminal.
  2. Connect to the server via SSH.
  3. Run the following command for every Cloudflare IP address (replace the example IP address with Cloudflareā€™s):Ā 
sudo iptables -A INPUT -s 192.168.0.1 --dport 443 -j ACCEPT 

Note: You can pass multiple IP address after the -s option. Just make sure to use commas between each individual IP address.

This will add a new rule to the iptables rule chain that allows incoming connections to the specified IP address. The parameters used in the syntax are:Ā 

  • -A ā€“ Adds rule to the rule chain.
  • INPUT ā€“ Specifies that the rule refers to all incoming connections.
  • -s ā€“ Specifies the source of traffic.
  • -j ACCEPT ā€“ Specifies what action should be taken with the data packets (accept).
  • --dport 443 ā€“ Specifies the destination port number of a protocol ā€“ where to direct the packets. Open port 443 for connections on encrypted networks.

Note: When Full (Strict) protection (SSL/TLS mode) is active, Cloudflare proxies all traffic to port 443 ā€“ the port used for secure connections over encrypted networks.

Optional parameters include:

  • -I ā€“ Specifies the network interface whose traffic the filter applies to.
  • -p ā€“ Specifies the network protocol filtering incoming traffic (TCP, UDP,Ā SCTP, UDP-lite,Ā ICMPv6, etc.)Ā 

Note: The parameters must always be written in the following order: -A, -i, -p, -s, --dport, -j.

If whitelisting Cloudflareā€™s IP addresses does not fix error 521, contact your hosting provider to check whether the issue is on their side.Ā 

3. Confirm That an SSL Certificate Is Installed

If Cloudflare IPs are whitelisted and access to port 443 is enabled, but error 521 persists, the issue may lie in your websiteā€™s security certificate.Ā 

Cloudflare requires a valid security certificate ā€“ the Cloudflare Origin Certificate or a certificate from any publicly trusted authority. A missing (or expired) SSL certificate willĀ cause error 521 or 526 to appear.Ā 

Whether you have an SSL certificate or want to create one using Cloudflare, you will have to go through the process of creating an Origin CA security certificate:

  1. Log in to Cloudflare.
  2. Choose the domain you want to install the certificate on.
  3. Navigate to SSL/TLS > Origin Server.
  4. Click Create Certificate.
  5. Choose whether you want to:
    1. Generate a Cloudflare certificate (Generate private key and CSR with Cloudflare)
    2. Use an existing third-party certificate (Use my private key and CSR)
  6. Specify the hostnames the certificate should apply to (root zone and first-level wildcard hostname are included by default)
  7. Specify the expiration date of the certificate
  8. Click Next
  9. Choose the key format:
    1. PEM, DER ā€“ for servers using OpenSSL (Apache and NGINX)
    2. PKCS#7 (.p7b) ā€“ for servers using Windows and Apache Tomcat
  10. Save the origin certificate and private key into separate filesĀ 
  11. Click OK

You now have an Origin CA security certificate that must be added to the origin server. To do this:

  1. Upload the certificate to your origin web server
  2. Update your web server configuration
  3. Enable SSL and port 443

Some origin web servers will also require aĀ Cloudflare Origin CA root certificate to be uploaded. The RSA and EEC version of the certificate can be found in Cloudflareā€™s documentation.

Note: According to Cloudflare, the EEC version should not be used with Apache cPanel.

4. Check mod_security

If theĀ mod_security Apache module acts as the origin serverā€™s firewall, its core rules could be blocking Cloudflare requests, causingĀ error 521 to appear.Ā 

If you are using mod_security, ensure that theĀ latest version is being used and that none of the rules are blocking Cloudflareā€™s IP addresses.Ā 

5. Disable mod_antiloris and mod_reqtimeout

mod_antiloris and mod_reqtimeout are Apache HTTP server modules designed to prevent Slowloris Denial-of-Service (DoS) attacks by limiting the number of connections from unique IP addresses within a specified time frame.Ā 

Cloudflare is a reverse proxy, meaning it processes requests and directs them to the origin server. This is completed over a limited range of IP addresses. WithĀ mod_antiloris and mod_reqtimeout set up, once a Cloudflare IP address exceeds the connection limit, every following connection attempt from that address results in dropped packets.Ā 

To resolve the issue, disable and unload the modules so Cloudflare can work uninterrupted.Ā 

6. Check Railgun Configuration

Railgun is a WAN optimization protocol developed by Cloudflare to increase connection speed. Ā 

Improper Railgun configuration causes the error 521 to appear, accompanied by theĀ ā€œrailgun.wan_error connection failedā€ error message.Ā 

To resolve the issue, disable Railgun so the website can be accessed and review the configuration. If you require assistance, reach out to Cloudflare Support.Ā 

7. Contact Cloudflare SupportĀ 

If the troubleshooting methods did not help to locate the issue, contact Cloudflare Support. A representative will guide you through gathering the required information and further troubleshooting.Ā 

Conclusion

You now know what causes the ā€œError 521: Web server is downā€ error message and how to troubleshoot and fix it.

Use the information provided in this guide to fix error 521 and prevent it from happening in the future.

Error 521 is only one of numerous error messages that can appear when visiting a website that uses Cloudflareā€™s CDN. Another common error code is 520: Web Server is Returning an Unknown Error. Check out our guide that explains what error 520 means and how to fix it.

Was this article helpful?
YesNo

RELATED ARTICLES

Most Popular

Recent Comments

ź°•ģ„œźµ¬ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
źøˆģ²œźµ¬ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ź“‘ėŖ…ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ź“‘ėŖ…ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė¶€ģ²œģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
źµ¬ģ›”ė™ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ź°•ģ„œźµ¬ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ģ˜¤ģ‚°ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ź“‘ėŖ…ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ģ•ˆģ–‘ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ė¶€ģ²œģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė™ķƒ„ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ģ„œģšøģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė¶„ė‹¹ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė¶€ģ²œģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ķ™”ź³”ė™ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ź°•ģ„œźµ¬ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ź³ ģ–‘ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ķ™”ģ„±ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ģ²œķ˜øė™ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?