When a site is connected to Cloudflare CDN After that, if the server fails to respond, the browser throws the Error 521The most common error in this category is not a problem with Cloudflare itself. Most of these errors are not a problem with Cloudflare itself, but rather the source server is rejecting the connection request from Cloudflare. This article will help you figure out the reason behind the error and how to fix it.

Common Cause Analysis

1. Cloudflare's IP segment is blocked by the source firewall
Many servers only accept local or region-specific access by default, and if you enable thefirewalls, security groups, fail2ban, or IP restriction settings, it is likely that Cloudflare's IPs have been mistakenly injured.

2. The web service is not listening on port 80 or 443.
Requests from Cloudflare go to port 80 (HTTP) or 443 (HTTPS) by default. If these two port services are not enabled, Cloudflare will not be able to connect to the source site.

3. Back-end service down or Nginx/Apache configuration anomaly
for example Nginx A restart that doesn't load the configuration properly, PHP-FPM crashes, Apache doesn't have virtual hosts enabled, etc. can also cause Cloudflare to report 521.

Solution 1: Unblock Cloudflare IP Segments

Go to the official Cloudflare page for the latest IP listings.

Add the following IP rangesserver (computer)firewall whitelisting (e.g. iptables, CSF, AWS security groups, AliCloud security policies, etc.):

IPv4 Example:
173.245.48.0/20
103.21.244.0/22
104.16.0.0/13
...

IPv6 Example:
2400:cb00::/32
2606:4700::/32
...

The way it works depends on the system environment you are using. For example, on an Ubuntu + iptables server:

for ip in $(curl https://www.cloudflare.com/ips-v4); do sudo iptables -I INPUT -p tcp -s $ip -j ACCEPT; done

Don't forget to save the rules to prevent reboots from failing.

Solution 2: Confirm that the server listening port is normal

Check whether port 80 or 443 is open with the following command:

sudo netstat -tlnp | grep ':80\|:443'

Verify that nginx or apache is up:

sudo systemctl status nginx
sudo systemctl status apache2

If the service is not started, check thelog (computing)Repair and reboot:

sudo systemctl restart nginx

Solution 3: Troubleshooting HTTPS Configuration and Certificate Issues

If the site is enabled HTTPSIt is recommended to select the correct encryption mode in the Cloudflare backend ("Full" or "Full Strict" is recommended):

Logging in to the Cloudflare Console
Go to Website → SSL/TLS → select "Full" or "Full Strict".

Ensure that source station certificates are available and have not expired

Solution 4: Temporarily bypass Cloudflare to test the source site

Modify the local hosts file to point the domain name directly to the source IP, and then access the test:

123.123.123.123 example.com

After confirming that the source site responds normally, re-access it through Cloudflare and gradually compare and localize the problem.

final conclusion

Error 521 It is a failure of communication between Cloudflare and the source, which is essentially an interception of Cloudflare IP by the server. Just check if the firewall, port listening status, and web service are normal,HTTPS The settings match or not, and most issues can be resolved. If you're using a security plugin or cloud vendor firewall service, it's also recommended that you synchronize the release of Cloudflare's full IP segments to avoid subsequent access disruptions.

Recent Updates

Contact Us
Can't read the tutorial? Contact us for a free answer! Free help for personal, small business sites!	Customer Service
① Tel: 020-2206-9892
② QQ咨詢：1025174874
(iii) E-mail: info@361sale.com
④ Working hours: Monday to Friday, 9:30-18:30, holidays off