You have just deployed your site behind Cloudflare, everything was working fine, and then suddenly your visitors see a stark white page with "Error 522: Connection timed out" or "Error 521: Web server is down." Your heart sinks. Is the server dead? Has something been hacked? Did the hosting provider pull the plug?
Take a deep breath. These two Cloudflare errors are the most common — and the most panic-inducing — but they are almost always fixable. This guide walks you through exactly what each error means, how to diagnose the root cause with real commands you can run right now, and how to implement permanent fixes so these errors never come back.
Error 522 vs. 521: What Is the Difference?
Before diving into fixes, you need to understand what each error actually means. They look similar but have fundamentally different root causes.
Error 522
Connection Timed Out
Cloudflare successfully established a TCP connection to your origin server, but the web server (Nginx, Apache, etc.) did not send a response within the timeout window.
In simple terms: Your server answered the phone, but then went silent and never said anything.
Timeout Issue
Error 521
Web Server Is Down
Cloudflare could not establish a TCP connection to your origin server at all. The connection was either refused (port closed) or timed out at the network level.
In simple terms: Your server did not even answer the phone. The line is dead.
Connection Refused
The Connection Flow
For a 522 error, the connection makes it past "TCP to Origin IP" (the handshake succeeds), but the web server application layer does not respond. For a 521 error, the connection fails at "TCP to Origin IP" — the handshake itself fails because nothing is listening or the packets are being dropped.
Error 522: Connection Timed Out — Causes and Fixes
A 522 error means your server is reachable at the network level, but the web server process is too slow or too busy to respond. Here are the four most common causes, in order of likelihood.
Cause 1: Server Overloaded (CPU or RAM Exhaustion)
The most common cause of 522 errors. If your server's CPU is pinned at 100% or it has run out of RAM, the web server process cannot handle new connections in time. This frequently happens during traffic spikes, runaway PHP processes, or unoptimized database queries.
Diagnosis
SSH into your server and run these commands:
# Check CPU and memory usage in real-time
top -bn1 | head -20
# Check system load average (should be below your CPU core count)
uptime
# Check available memory
free -m
# Find the top CPU-consuming processes
ps aux --sort=-%cpu | head -10
# Check for PHP-FPM processes stuck in a loop
ps aux | grep php-fpm | wc -lFix
- Immediate: Kill runaway processes:
kill -9 $(pgrep -f "php-fpm" --oldest)(only if clearly stuck) - Short-term: Reduce PHP-FPM max_children to prevent overcommitting RAM. A common formula:
(Total RAM - 1GB for OS) / Average PHP process size - Long-term: Enable PHP OPcache, install Redis for object caching, optimize slow database queries, add a CDN for static assets
/var/log/php-fpm/error.log or wp-content/debug.log.
Cause 2: Firewall Blocking Cloudflare IP Ranges
When Cloudflare proxies your site, all requests to your origin server come from Cloudflare's IP ranges — not from your visitors' IPs. If your firewall (iptables, nftables, UFW, CSF, or a hosting provider firewall) does not whitelist these IPs, requests get silently dropped and Cloudflare reports a 522.
Diagnosis
# Check if Cloudflare IPs can reach your web server
# Test from outside your server (or use a different machine):
curl -I --max-time 10 http://YOUR_SERVER_IP
# Check firewall rules on the server
iptables -L -n | grep -E "80|443|DROP|REJECT"
# For nftables
nft list ruleset | grep -E "80|443|drop|reject"
# For UFW
ufw status verbose
# Check if connections are being rate-limited
netstat -an | grep :80 | wc -l
netstat -an | grep :443 | wc -lFix
Whitelist all Cloudflare IP ranges. The current ranges are published at cloudflare.com/ips. See the dedicated section below for firewall-specific commands.
Cause 3: Keepalive Timeout Too Low
Cloudflare uses HTTP keep-alive connections to your origin server to reduce latency. If your web server closes these connections too quickly (before Cloudflare sends the next request on the same connection), Cloudflare encounters a "connection reset" and reports a 522.
Diagnosis
# Check Nginx keepalive timeout
grep -r "keepalive_timeout" /etc/nginx/nginx.conf /etc/nginx/conf.d/
# Check Apache KeepAliveTimeout
grep -r "KeepAliveTimeout" /etc/apache2/ /etc/httpd/Fix
Cloudflare expects origin keepalive timeouts of at least 300 seconds (5 minutes). Set these values in your web server config:
Nginx:
keepalive_timeout 300;
keepalive_requests 1000;Apache:
KeepAlive On
KeepAliveTimeout 300
MaxKeepAliveRequests 1000Cause 4: Large Response Payload or Slow Backend
If your WordPress site is generating a page that requires heavy database queries, calling external APIs that are slow to respond, or generating very large pages (e.g., a product catalog with thousands of items), the response generation may exceed Cloudflare's timeout.
Diagnosis
# Check slow query log (MySQL)
tail -50 /var/log/mysql/slow-query.log
# Check PHP-FPM slow log
tail -50 /var/log/php-fpm/slow.log
# Check WordPress debug log
tail -50 /path/to/wordpress/wp-content/debug.log
# Check Nginx error log for upstream timeouts
grep "upstream timed out" /var/log/nginx/error.log | tail -20Fix
- Enable WordPress debug logging: add
define('WP_DEBUG_LOG', true);to wp-config.php - Install a query monitor plugin to identify slow database queries
- Use a caching plugin (WP Super Cache, W3 Total Cache, or Redis Object Cache) to serve cached pages instead of generating them fresh
- Move expensive operations to background jobs with WP-Cron or a queue system
Error 521: Web Server Is Down — Causes and Fixes
A 521 error is more severe than a 522. It means Cloudflare cannot establish any connection at all to your origin server. This typically means the web server process has stopped, the server has crashed, or the firewall is actively rejecting connections.
Cause 1: Web Server (Nginx/Apache) Stopped or Crashed
The most common cause. The web server process may have crashed due to a misconfiguration, a failed update, or an out-of-memory kill by the Linux OOM killer.
Diagnosis
# Check if Nginx is running
systemctl status nginx
# Check if Apache is running
systemctl status apache2 # Debian/Ubuntu
systemctl status httpd # CentOS/RHEL
# Check if anything is listening on port 80/443
ss -tlnp | grep -E ":80|:443"
# Check recent system logs for OOM kills
dmesg | grep -i "oom\|killed" | tail -10
# Check the web server error log
tail -50 /var/log/nginx/error.log
tail -50 /var/log/apache2/error.logFix
# Start the web server
systemctl start nginx
# If it fails to start, check the config syntax
nginx -t # Nginx
apachectl configtest # Apache
# If OOM killed, check memory usage and reduce PHP-FPM workers
free -m
# Edit PHP-FPM pool config: reduce pm.max_childrenCause 2: Firewall Actively Rejecting Cloudflare IPs
Unlike the 522 scenario (where packets are silently dropped, causing a timeout), a 521 typically occurs when the firewall actively rejects the connection (sends a TCP RST or ICMP unreachable). This happens with deny rules or when fail2ban has banned Cloudflare IPs.
Diagnosis
# Check for Cloudflare IPs in fail2ban jail
fail2ban-client status
fail2ban-client status sshd # or your jail name
# Check for explicit DROP/REJECT rules
iptables -L -n --line-numbers | grep -i "drop\|reject"
# Test connectivity from the server itself
curl -I http://localhost
curl -I https://localhostFix
If fail2ban has banned Cloudflare IPs, unban them and add them to the ignore list:
# Unban a specific IP
fail2ban-client set JAIL_NAME unbanip IP_ADDRESS
# Add Cloudflare ranges to fail2ban ignore list
# Edit /etc/fail2ban/jail.local:
# ignoreip = 127.0.0.1/8 173.245.48.0/20 103.21.244.0/22 ...Cause 3: Server Crashed (OOM, Disk Full, Kernel Panic)
If the entire server is down (not just the web server), you will see a 521 because nothing is responding on any port. Common causes include the OOM killer terminating critical processes, the disk filling up (which prevents logging and crashes services), or a kernel panic.
Diagnosis
# Check disk usage — 100% full will crash most services
df -h
# Check memory
free -m
# Check system uptime (did it recently reboot?)
uptime
# Check for OOM kills in system log
journalctl -k | grep -i "oom\|killed" | tail -20
# Check dmesg for kernel issues
dmesg | tail -30Fix
- Disk full: Clear log files (
truncate -s 0 /var/log/large-file.log), remove old backups, clean package cache (apt clean) - OOM: Add swap space as an emergency measure:
fallocate -l 2G /swapfile && chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile - After clearing space: Restart services:
systemctl restart nginx php-fpm mysql
du -sh /var/lib/mysql/) — they can grow several GB without you noticing.
Cause 4: Wrong Origin IP in Cloudflare DNS
This is embarrassingly common. If you recently migrated servers, changed hosting providers, or restored from a backup, the DNS A record in Cloudflare might still point to the old server's IP address.
Diagnosis
# Check what IP Cloudflare is connecting to
# In Cloudflare dashboard: DNS → Records → check A record
# Verify from your terminal (bypassing Cloudflare):
dig +short example.com @1.1.1.1
# Verify the correct server IP
hostname -I
# Test direct connection to the correct IP
curl -I --resolve example.com:80:YOUR_CORRECT_IP http://example.com
curl -I --resolve example.com:443:YOUR_CORRECT_IP https://example.comFix
Update the A record in Cloudflare DNS to point to your current server's IP address. Make sure the orange cloud (proxy) icon is enabled. Changes propagate within seconds since Cloudflare controls the DNS.
Cloudflare IP Whitelist — The Universal Fix
Whitelisting Cloudflare's IP ranges in your server's firewall is the single most important step for preventing both 522 and 521 errors. If your firewall has any deny-by-default rules, Cloudflare's requests will be blocked.
UFW (Uncomplicated Firewall)
# Allow Cloudflare IPv4 ranges
for ip in 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
104.24.0.0/14 172.64.0.0/13 131.0.72.0/22; do
ufw allow from $ip to any port 80,443 proto tcp
done
ufw reloadnftables
# Add to your nftables config (/etc/nftables.conf)
define cloudflare_ipv4 = {
173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22,
103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18,
190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22,
198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/13,
104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22
}
chain input {
tcp dport { 80, 443 } ip saddr $cloudflare_ipv4 accept
}iptables
# Allow Cloudflare IPs on ports 80 and 443
for ip in 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
104.24.0.0/14 172.64.0.0/13 131.0.72.0/22; do
iptables -A INPUT -s $ip -p tcp -m multiport --dports 80,443 -j ACCEPT
done
iptables-save > /etc/iptables/rules.v4https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6, then updates your firewall rules automatically. A stale whitelist is a ticking time bomb.
Permanent Monitoring Setup
Fixing the error once is not enough. You need monitoring in place so you are alerted before your visitors see errors.
Uptime Monitoring
Use a service like UptimeRobot (free for 50 monitors), Pingdom, or Better Stack to ping your site every 1-5 minutes. Set alerts for any downtime exceeding 30 seconds. Monitor both your Cloudflare URL and your origin IP directly.
Server Resource Alerts
Configure alerts for: CPU usage above 80% for 5+ minutes, RAM usage above 90%, disk usage above 85%, and PHP-FPM queue depth above 0. These are early warning signs before a 522 error occurs.
Cloudflare Health Checks
In Cloudflare dashboard, go to Traffic → Health Checks. Configure a health check that pings your origin server every 60 seconds. If the check fails, Cloudflare can automatically failover to a backup origin (if configured) or serve a custom error page.
Log Analysis
Set up centralized logging (even a simple logrotate + weekly review is better than nothing). Watch for patterns: Are errors happening at the same time daily? During specific traffic spikes? After deployments? Patterns reveal root causes.
Quick Reference Table
| Error | Meaning | Most Common Cause | Quick Fix |
|---|---|---|---|
| 522 | Connection timed out | Server CPU/RAM overloaded | Kill runaway processes, increase resources, add caching |
| 522 | Connection timed out | Firewall silently dropping CF packets | Whitelist Cloudflare IP ranges in firewall |
| 522 | Connection timed out | Keepalive timeout too low | Set keepalive_timeout to 300s in Nginx/Apache |
| 522 | Connection timed out | Slow PHP/database response | Enable OPcache, Redis cache, optimize queries |
| 521 | Web server is down | Nginx/Apache stopped or crashed | systemctl start nginx |
| 521 | Web server is down | Firewall rejecting CF connections | Whitelist Cloudflare IPs, check fail2ban |
| 521 | Web server is down | Server crashed (OOM / disk full) | Free disk space, add swap, restart services |
| 521 | Web server is down | Wrong origin IP in DNS | Update A record in Cloudflare dashboard |
Panelica Integration: Proactive Error Prevention
If you are running your sites on a Panelica-managed server, most of the issues described in this guide are handled automatically. Here is what Panelica does out of the box:
20 Managed Services with Auto-Restart
Panelica's service manager (pn-service) monitors all 20 services including Nginx, Apache, PHP-FPM, MySQL, PostgreSQL, and Redis. If a service crashes, the systemd watchdog detects it and restarts it automatically — usually before a single visitor sees an error.
Pre-Configured Cloudflare Firewall Rules
Panelica's nftables firewall comes with Cloudflare IP ranges already whitelisted. When Cloudflare updates their ranges, the panel's update system refreshes the rules automatically. No manual firewall maintenance needed.
Real-Time Resource Monitoring
Panelica's built-in monitoring dashboard shows CPU, RAM, disk, and bandwidth usage in real-time with historical graphs. Set custom alert thresholds to get notified before your server hits critical resource limits — catching potential 522 errors before they happen.
Per-User Resource Isolation (Cgroups v2)
Each user on a Panelica server runs inside their own Cgroups v2 slice with CPU, memory, and I/O limits. A runaway PHP process from one site cannot consume all server resources and cause 522 errors for other sites. The isolation is enforced at the kernel level.
With Panelica's proactive monitoring, automatic service recovery, and kernel-level resource isolation, 522 and 521 errors become rare events rather than recurring nightmares. The panel handles the infrastructure, so you can focus on building your sites.