Cloudflare Error Codes 520-527 Explained: Complete Fix Guide

Quick Reference: All Cloudflare Error Codes

Error 520: Web Server Returned Unknown Error

Error 520 is a catch-all error that occurs when Cloudflare receives an empty, unknown, or unexpected response from your origin server.

Common Causes

• Origin server crashed mid-response
• Response headers exceed 16KB limit
• Empty response body with 200 status
• Origin closed connection before responding
• Invalid HTTP response format

How to Fix

1. Check origin server logs for crashes or errors
2. Verify response headers are under 16KB
3. Test without Cloudflare by pausing Cloudflare or using hosts file
4. Check for mod_security or firewall blocks
5. Ensure proper HTTP response format

# Check origin directly (bypass Cloudflare)
curl -v -H "Host: yourdomain.com" http://YOUR_ORIGIN_IP/

# Check response headers size
curl -I https://yourdomain.com | wc -c

Error 521: Web Server Is Down

Error 521 means Cloudflare attempted to connect to your origin server, but the connection was actively refused. This typically means the web server process isn't running.

Common Causes

• Web server (Apache/Nginx) not running
• Firewall blocking Cloudflare IPs
• Origin server overwhelmed
• iptables rules blocking connections
• Wrong port configured in Cloudflare

How to Fix

# 1. Check if web server is running
sudo systemctl status nginx
sudo systemctl status apache2

# 2. Restart web server if needed
sudo systemctl restart nginx
# or
sudo systemctl restart apache2

# 3. Check if port 80/443 is listening
sudo netstat -tlnp | grep -E ':80|:443'

# 4. Verify firewall allows Cloudflare IPs
# Get Cloudflare IP ranges from:
# https://www.cloudflare.com/ips-v4
# https://www.cloudflare.com/ips-v6

# 5. Allow Cloudflare IPs in iptables
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
    sudo iptables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT
    sudo iptables -A INPUT -p tcp -s $ip --dport 443 -j ACCEPT
done

Error 522: Connection Timed Out

Error 522 occurs when Cloudflare can't establish a TCP connection to your origin server within 15 seconds. Unlike 521, the connection isn't refused—it just doesn't complete.

Common Causes

• Server overload (too many connections)
• Network issues between Cloudflare and origin
• Firewall silently dropping packets
• Origin IP address incorrect in Cloudflare DNS
• Keepalive settings too aggressive

How to Fix

# 1. Check server load
top -b -n 1 | head -10
uptime

# 2. Check connection limits
cat /proc/sys/net/core/somaxconn
cat /proc/sys/net/ipv4/tcp_max_syn_backlog

# 3. Increase connection limits
echo 65535 | sudo tee /proc/sys/net/core/somaxconn
echo 65535 | sudo tee /proc/sys/net/ipv4/tcp_max_syn_backlog

# 4. Check for packet drops
netstat -s | grep -i drop
netstat -s | grep -i overflow

# 5. Verify DNS points to correct IP
dig +short yourdomain.com

In Cloudflare dashboard:

1. Go to DNS settings
2. Verify A/AAAA records point to correct origin IP
3. Check if you're using the right ports

Error 523: Origin Is Unreachable

Error 523 means Cloudflare couldn't route to your origin server. This is typically a DNS or network routing issue.

Common Causes

• DNS records pointing to invalid IP
• Origin server IP changed but DNS not updated
• Routing issues at ISP/datacenter level
• Origin server completely offline

How to Fix

1. Verify DNS records in Cloudflare dashboard are correct
2. Ping your origin IP from multiple locations
3. Check if origin server is online via direct IP access
4. Contact hosting provider if server is unreachable

# Test connectivity from multiple locations
# Use tools like:
# - https://check-host.net/check-ping
# - https://www.uptrends.com/tools/ping-test

# Verify your origin IP is correct
curl -v http://YOUR_ORIGIN_IP/

Error 524: A Timeout Occurred

Error 524 means Cloudflare successfully connected to your origin, but the origin didn't respond with HTTP headers within 100 seconds (or your configured timeout).

Common Causes

• Long-running PHP/Python/Node scripts
• Slow database queries
• Large file processing
• External API calls timing out
• Resource exhaustion on origin

How to Fix

For Free/Pro plans, the timeout is 100 seconds. Business and Enterprise can increase this.

# 1. Check for slow queries
# MySQL
SHOW FULL PROCESSLIST;

# 2. Check PHP execution time
php -i | grep max_execution_time

# 3. Increase PHP timeout (php.ini)
max_execution_time = 300
max_input_time = 300

# 4. Increase Nginx timeout
proxy_read_timeout 300s;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
fastcgi_read_timeout 300s;

Error 525: SSL Handshake Failed

Error 525 occurs when Cloudflare can't establish an SSL/TLS connection with your origin server. The connection was made, but the SSL handshake failed.

Common Causes

• Origin doesn't support SSL on port 443
• SSL/TLS version mismatch
• Cipher suite incompatibility
• SSL certificate not installed on origin
• SNI issues

How to Fix

# 1. Test SSL connection to origin
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com

# 2. Check supported TLS versions
nmap --script ssl-enum-ciphers -p 443 YOUR_ORIGIN_IP

# 3. Verify certificate is installed
openssl s_client -connect yourdomain.com:443 | openssl x509 -noout -dates

In Cloudflare dashboard:

1. Go to SSL/TLS settings
2. Try changing encryption mode to "Flexible" (temporarily)
3. If Flexible works, fix your origin SSL configuration
4. Then switch back to "Full" or "Full (Strict)"

Error 526: Invalid SSL Certificate

Error 526 means Cloudflare connected to your origin, but couldn't validate the SSL certificate. This only happens with "Full (Strict)" mode.

Common Causes

• SSL certificate expired
• Self-signed certificate (not trusted)
• Certificate doesn't match hostname
• Missing intermediate certificates
• Using Cloudflare Origin CA without proper setup

How to Fix

# 1. Check certificate validity
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates

# 2. Check certificate chain
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com -showcerts

# 3. Verify hostname matches
openssl s_client -connect YOUR_ORIGIN_IP:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

Solutions:

• Get a valid certificate from Let's Encrypt (free)
• Use Cloudflare Origin CA certificates (free, trusted by Cloudflare)
• Install intermediate certificates in the correct order
• Renew expired certificates

Error 527: Railgun Error

Error 527 indicates a problem with Cloudflare Railgun, a WAN optimization technology. This is relatively rare since Railgun is being deprecated in favor of Argo.

How to Fix

1. Check Railgun Listener status on origin
2. Verify Railgun configuration
3. Restart Railgun service
4. Consider migrating to Argo Smart Routing

Error 530: Site Frozen

Error 530 is always accompanied by a 1xxx error in the response body. Check the 1xxx error for the actual cause.

Debugging Tools

Cloudflare Dashboard

• Analytics → Traffic - See error distribution
• Analytics → Security - Check if WAF is blocking
• Trace - Test requests from Cloudflare edge

Useful Commands

# Get ray ID for support tickets
curl -I https://yourdomain.com 2>&1 | grep -i cf-ray

# Test with specific Cloudflare datacenter
curl -I --resolve yourdomain.com:443:CF_IP https://yourdomain.com

# Check if origin is accessible
curl -v -H "Host: yourdomain.com" https://YOUR_ORIGIN_IP/

# View Cloudflare IP ranges
curl https://www.cloudflare.com/ips-v4

Prevention Best Practices

1. Whitelist Cloudflare IPs in your firewall and update regularly
2. Use Full (Strict) SSL mode with valid origin certificates
3. Monitor origin server health proactively
4. Set up Cloudflare notifications for origin errors
5. Use Page Rules to bypass Cloudflare for health checks
6. Enable Argo Smart Routing for better reliability
7. Implement proper timeouts on your origin application

Conclusion

Cloudflare's custom 5xx errors provide valuable diagnostic information about the connection between Cloudflare and your origin server. While they can be frustrating, each error code points to a specific problem:

• 520 - Origin returned garbage; check logs and response format
• 521 - Web server not running; start it or fix firewall
• 522 - Connection timeout; check server load and network
• 523 - Can't route to origin; verify DNS settings
• 524 - Origin too slow; optimize or increase timeouts
• 525 - SSL handshake failed; fix TLS configuration
• 526 - Invalid SSL cert; get a valid certificate
• 527 - Railgun issue; restart or migrate to Argo

When troubleshooting, always check the Ray ID in error pages—it's essential for Cloudflare support tickets.