"Cloudflare Error 521 vs 522 vs 523 vs 530: What Each One Means and How to Fix It"
Cloudflare's 5xx errors all mean "something is wrong behind Cloudflare" — but each code points at a different failure. Here's how to read them and fix the real problem fast.
Your site is behind Cloudflare and visitors are seeing an error page with a three-digit code in the 500s. The page says "cloudflare" at the bottom, so is Cloudflare down? Almost certainly not — these codes are Cloudflare telling you exactly what went wrong between its edge and your origin server. Learning to read them turns a vague "site is down" into a specific diagnosis.
Here's the cheat sheet, then the details.
| Code | Meaning | Where the problem is |
|---|---|---|
| 521 | Web server is down | Origin refused the connection |
| 522 | Connection timed out | Origin didn't answer the TCP handshake |
| 523 | Origin is unreachable | Cloudflare can't route to the origin at all |
| 524 | A timeout occurred | Origin accepted, then took too long to respond |
| 525 | SSL handshake failed | TLS negotiation with origin broke |
| 526 | Invalid SSL certificate | Origin's certificate failed validation |
| 530 | Origin DNS error | Cloudflare couldn't resolve the origin hostname |
521: Web server is down
Cloudflare reached your server's IP, tried to connect to the web port, and got actively refused. The machine is up enough to send a TCP reset, but nothing is listening.
Most common causes:
- Your web server process (nginx, Apache, Caddy) crashed or was stopped
- The server is rebooting and the network stack came up before the web server did
- A firewall is rejecting Cloudflare's IPs — this is the classic one. If you allowlist traffic on your origin, you must allow Cloudflare's published IP ranges, and those ranges occasionally change
Fix: confirm your web server is running (systemctl status nginx), then confirm it's listening on the port Cloudflare connects to. If both look fine, check your firewall rules against Cloudflare's current IP list.
522: Connection timed out
Cloudflare sent a connection request and heard nothing back — no acceptance, no refusal, just silence until the timeout.
This is usually one of:
- The origin server is overloaded (too busy to accept new connections)
- A firewall is silently dropping packets instead of rejecting them
- Wrong IP in your Cloudflare DNS records — you're pointing at an address where nothing answers
Fix: check server load first. If the box is healthy, verify the IP in your Cloudflare DNS dashboard actually belongs to your current server — this bites people after a migration, when the old IP quietly stops answering.
523: Origin is unreachable
Cloudflare can't even route packets toward your origin. Rarer than 521/522, and usually means the IP is wrong at a network level: the address is unannounced, the route disappeared, or your host is having a network incident.
Fix: verify the DNS record points at the right IP, then check your hosting provider's status page. If you recently changed hosting or IPs, this is almost always a stale record.
524: A timeout occurred
Different from 522: the connection succeeded, the request was sent, and then your application took longer than Cloudflare's limit (100 seconds by default) to produce a response. The server is up — something it's doing is just very slow. Long-running report generation, a locked database table, or an N+1 query meltdown are typical culprits.
Fix: find the slow endpoint in your application logs. For legitimately long operations, move the work to a background job and return immediately.
525 and 526: TLS problems between Cloudflare and your origin
Both codes mean HTTPS between Cloudflare and your origin is broken — visitors' connections to Cloudflare are fine, but the second hop isn't.
- 525 — the TLS handshake itself failed. Often: your origin has no certificate on port 443, or supports only cipher suites/TLS versions Cloudflare won't use.
- 526 — the handshake worked, but the certificate failed validation: expired, self-signed while your SSL mode is "Full (strict)", or issued for a different hostname.
Fix: the quickest reliable setup is a free Cloudflare Origin CA certificate installed on your origin, with SSL mode set to Full (strict). It's valid for up to 15 years, which also ends the expired-origin-cert class of incident. And monitor your certificate expiry regardless — an expiring cert is one of the most preventable outages there is.
530: Origin DNS error
The odd one out. With a 530, Cloudflare couldn't resolve your origin's hostname — the failure happens before any connection attempt. You'll see this when:
- Your origin is configured by hostname (common with tunnels, load balancers, or SaaS backends) and that hostname's DNS broke
- A CNAME chain points at a record that was deleted
- You're using Cloudflare Tunnel and the tunnel is down — Cloudflare surfaces this as 530/1033
One subtlety we learned building PoppaPing's own edge layer: if you write a Cloudflare Worker that fetches your origin, an unreachable origin often comes back as a 530 response object, not a thrown exception. If your Worker only catches exceptions to detect origin failures, 530s sail right through it. Handle both.
Fix: resolve the origin hostname yourself (dig your-origin-hostname) and follow the chain until you find the record that's missing or wrong. For tunnels, check the tunnel connector's health first.
The real lesson: monitor from outside Cloudflare's error page
Every code above describes a failure your visitors saw before you did. Cloudflare's error pages are informative, but they're a terrible notification system — they only "alert" people who were already trying to use your site.
External uptime monitoring closes that gap: a monitor that requests your site every minute sees the 521 or 530 the moment it starts, tells you which code it got (so you start the right fix immediately), and confirms recovery when it clears. Multi-region checks also distinguish "my origin is down" (every region sees it) from "one Cloudflare pop is having a bad moment" (one region sees it) — a distinction the error page alone can't give you.
PoppaPing monitors your site from 10 regions worldwide, records the exact status code of every failed check, and alerts you on Slack, Discord, Telegram, email, or webhooks within a minute of the first failure. Set up a free monitor and the next 5xx will be a notification you act on — not a screenshot a customer sends you.
Ready to stop guessing if your site is up?
PoppaPing monitors your sites from 10 regions on 4 continents. Get started free.
Start Monitoring Free