Fixing Cloudflare Error 521: Web Server is Down
Cloudflare Error 521 means Cloudflare cannot reach the origin server. In this Ubuntu-focused guide, we explain why it happens, how Cloudflare's network interacts with the server, and provide step-by-step fixes to restore access quickly.
Understanding Error 521
Cloudflare proxies traffic to the origin server for speed and security. A 521 indicates Cloudflare's edge servers failed to get any response. Possible culprits include the server being offline, services (web, database, cache) being down, firewall rules blocking ports 80/443, or network/DNS issues.
Common Causes
- Server Offline: Hardware failure, provider outage, or maintenance.
- Web Service Down: Apache/Nginx crashed or misconfigured.
- Database Down: MySQL/PostgreSQL service unavailable, causing application errors.
- Port Blocked: Firewall (UFW, iptables) rejecting Cloudflare IPs.
- DNS Misconfigured: A/AAAA records pointing to the wrong IP.
- SSL/TLS Mismatch: Cloudflare expecting HTTPS but the origin is HTTP-only.
Quick Fixes and Basic Checks
4.1 Check Server Status
sudo systemctl status apache2
# or
sudo systemctl status nginx
4.2 Check Firewall Rules
sudo ufw status
Ensure Cloudflare IP ranges are allowed on ports 80 and 443. Cloudflare publishes their IP ranges at cloudflare.com/ips -- we must whitelist all of them.
4.3 Restart Web Services
sudo systemctl restart apache2
# or
sudo systemctl restart nginx
Advanced Troubleshooting
5.1 Monitor Resources
top
htop
High load can starve services -- consider scaling or tuning if resource utilization is consistently high.
5.2 Tune MySQL and Web Server
max_allowed_packet: Adjust in/etc/mysql/my.cnfinnodb_buffer_pool_size: Increase to cache more data
These settings require Linux/MySQL expertise -- incorrect values can make things worse.
5.3 Validate DNS and SSL
Ensure A/AAAA records point correctly and that the SSL certificate is valid. Use Cloudflare's diagnostic tools for guidance.
5.4 Contact the Hosting Provider
If all else fails, the hosting provider can diagnose network or virtualization layer issues that are not visible from within the instance.
Preventing Future Issues
- Automated Backups: Regular snapshots of files and the database.
- Firewall Hardening: Keep UFW rules lean and up to date.
- Professional Maintenance: Ongoing care from experienced server administrators.
- Performance Monitoring: Use Nagios, Zabbix, or similar tools for real-time alerts.
- Timely Updates: Patch Ubuntu, Apache/Nginx, MySQL, and other services promptly.
Wrap-Up
Error 521 almost always traces back to something on the origin server side -- a stopped service, a firewall rule, or resource exhaustion. By systematically checking service status, firewall configuration, resource usage, and DNS settings, we can identify and resolve the issue quickly. Proactive monitoring and regular maintenance are the best defenses against unexpected downtime.
Need help with this?
Our team handles this kind of work daily. Let us take care of your infrastructure.
Related Articles
The Ultimate Guide to Linux Server Management in 2025
A comprehensive guide to modern Linux server management covering automation, containerization, cloud integration, AI-driven operations, security best practices, and essential tooling for 2025.
Server & DevOpsFixing "421 Misdirected Request" for Plesk Sites on Ubuntu 22.04 After Apache Update
Resolve the 421 Misdirected Request error affecting all HTTPS sites on Plesk for Ubuntu 22.04 after an Apache update, caused by changed SNI requirements in the nginx-to-Apache proxy chain.
Server & DevOpsHow to Set Up GlusterFS on Ubuntu
A complete guide to setting up a distributed, replicated GlusterFS filesystem across multiple Ubuntu 22.04 nodes, including installation, volume creation, client mounting, maintenance, and troubleshooting.