Error 521 means Cloudflare attempted to connect to the origin server, but the connection was actively refused. The origin server is either completely down, not listening on the correct port (80 for HTTP, 443 for HTTPS), or explicitly blocking Cloudflare's IP addresses. Unlike error 522 (timeout), 521 gets an immediate rejection — the origin is reachable at the network level but no web server is responding.
The web server process (Nginx, Apache, LiteSpeed, IIS) has stopped, crashed, or failed to start. The server itself may be running, but the web server software is not.
If Cloudflare's SSL mode is Full or Full (Strict), it connects to port 443. If your web server is only listening on port 80, the connection is refused on 443.
iptables, ufw, fail2ban, or a hosting provider's firewall may be blocking Cloudflare's IP ranges, causing immediate connection refusal.
Shared hosting providers may suspend accounts for exceeding resource limits, unpaid invoices, or policy violations, which takes the web server offline.
SSH into your server and check if the web server process is running. Restart it if needed.
systemctl status nginx # or: systemctl status apache2 / httpd
Verify your web server is listening on port 80 (HTTP) and/or 443 (HTTPS) depending on your Cloudflare SSL mode.
Scan PortsUse a port scanner to check if ports 80 and 443 are open on your origin server from the internet.
curl -v --connect-timeout 5 http://YOUR_ORIGIN_IP/
If you use iptables, ufw, or fail2ban, add rules to allow traffic from all Cloudflare IP ranges. Check cloudflare.com/ips for the current list.
Contact your hosting provider to ensure your account is active and the server is not suspended or undergoing maintenance.
Cloudflare received an empty, unknown, or unexpected response from the origin server.
Cloudflare's TCP connection to the origin server timed out.
Cloudflare cannot reach the origin server because DNS resolution failed or the origin IP is unreachable.