520 and 521 errors are not standard HTTP status codes. They are Cloudflare-specific error codes that Cloudflare returns when it cannot reach your origin server or when your origin server responds in an unexpected way. If you are seeing these errors and your site is not behind Cloudflare, the status codes have a different meaning in your specific setup, but this guide focuses on the Cloudflare context where these errors are overwhelmingly encountered.
Both errors mean that Cloudflare, acting as a reverse proxy between your visitors and your server, tried to connect to your origin server and something went wrong. The visitor sees a Cloudflare error page instead of your site. Your origin server may or may not be aware that anything happened.
Error 520: web server returned an unknown error#
What it means
A 520 error means Cloudflare connected to your origin server, but the origin returned an empty, unknown, or malformed response that Cloudflare could not interpret. Cloudflare expected a valid HTTP response (status code, headers, body) and got something else, or got nothing at all.
The key distinction: Cloudflare did establish a TCP connection to your server. The connection was not refused or timed out. But the response that came back was not something Cloudflare could work with.
Common causes
The origin server returned an empty response. Your server accepted the connection but sent back zero bytes before closing it. This often happens when PHP-FPM crashes during request processing. The web server (Nginx or Apache) connected to PHP-FPM, PHP-FPM started processing the request, then the PHP process was killed (out of memory, segfault, max execution time), and the web server returned an empty response to Cloudflare. On a site without Cloudflare, this would typically show as a 502 Bad Gateway error.
Headers exceeded Cloudflare’s size limit. Cloudflare has an internal limit on response header size. If your origin server sends response headers larger than approximately 16 KB, Cloudflare returns 520. This can happen when WordPress plugins set excessively large cookies, when a caching layer adds many cache-related headers, or when a misconfigured application dumps debug data into headers.
Connection was reset by the origin. Your server accepted the connection but then closed it unexpectedly before sending a complete response. This can be caused by firewall rules on your server that block Cloudflare’s IP ranges, iptables rules that drop connections after a certain number from the same source, or a web application firewall (ModSecurity, Imunify360) that identifies the request as malicious and kills the connection.
SSL/TLS mismatch between Cloudflare and origin. If Cloudflare is configured to connect to your origin over HTTPS (Full or Full Strict mode) but your origin server has an SSL configuration issue, the TLS handshake may fail in a way that produces a 520. This can happen when the origin certificate has expired, when the origin only supports TLS versions that Cloudflare does not use for origin connections, or when the SSL configuration on the origin is incomplete. For SSL-specific errors, see ERR_SSL_PROTOCOL_ERROR: what it means and how to fix it and ERR_SSL_VERSION_OR_CIPHER_MISMATCH: how to fix it.
Origin server timeout at the application level. Your web server accepted the connection and started processing the request, but the application (WordPress, WooCommerce) hit a timeout or error before generating a response. If PHP’s
max_execution_time
is reached, PHP terminates and the web server may send an empty or incomplete response that Cloudflare interprets as 520.
How to diagnose
Check if the origin responds directly. Bypass Cloudflare by connecting to your server’s IP address directly:
curl -I -H "Host: example.com" https://YOUR_SERVER_IP/
If this returns a valid response, the origin is working and the problem is between Cloudflare and the origin. If this also fails, the problem is on the origin server itself.
Check the origin’s error log. Look at the web server error log for entries at the time of the 520:
grep "$(date +%Y/%m/%d)" /var/log/nginx/error.log | tail -30
Look for upstream connection errors, timeout messages, or PHP-FPM errors. The most common findings are “upstream prematurely closed connection” (PHP-FPM crashed) and “no live upstreams” (PHP-FPM is down).
Check PHP-FPM status. If the origin is running WordPress on Nginx with PHP-FPM, verify that PHP-FPM is running and has available workers:
systemctl status php-fpm
If PHP-FPM is stopped or all workers are busy, the origin cannot process requests. This would produce a 503 Service Unavailable error without Cloudflare, but Cloudflare may report it as 520 if the origin’s error response is malformed.
Check if Cloudflare IPs are allowed. Your server’s firewall must allow connections from Cloudflare’s IP ranges. Cloudflare publishes their IP ranges at cloudflare.com/ips. If your firewall blocks these IPs, Cloudflare cannot reach your server. Verify with:
iptables -L -n | grep -i drop
Look for rules that might be dropping connections from Cloudflare’s IP ranges. Fail2ban is a common culprit. If fail2ban is banning IPs based on login failures or request rates, it can inadvertently ban Cloudflare IPs, which effectively takes your entire site offline because all traffic comes through Cloudflare.
Check response headers size. Use curl to see what headers your origin is sending:
curl -sI -H "Host: example.com" https://YOUR_SERVER_IP/ | wc -c
If the header size is approaching 16 KB, that is likely the cause. Identify which headers are unusually large and fix the source.
How to fix
The fix depends on the cause:
- PHP-FPM crashing: Check
php-fpm.logfor segfaults or out-of-memory kills. Increasememory_limitinphp.ini, increasepm.max_childrenif workers are exhausted, and check for problematic plugins that cause PHP to crash. - Firewall blocking Cloudflare: Whitelist Cloudflare’s IP ranges in your firewall. If using fail2ban, add Cloudflare’s IPs to the ignore list.
- SSL mismatch: Ensure your origin has a valid SSL certificate. In Cloudflare’s dashboard, set SSL/TLS mode to “Full (Strict)” and install a Cloudflare Origin CA certificate on your server if you do not have a public certificate.
- Header size: Identify and remove excessive cookies or headers. Disable debug mode, check caching plugin headers, and review any custom headers being set in Nginx or Apache.
- Application timeout: Increase
max_execution_timein PHP configuration andproxy_read_timeoutin Nginx.
Error 521: web server is down#
What it means
A 521 error means Cloudflare could not establish a TCP connection to your origin server at all. The server refused the connection, the connection timed out, or nothing is listening on the expected port. This is more straightforward than a 520 because the problem is at the network/server level rather than the application level.
Common causes
The web server (Nginx/Apache) is stopped. The most direct cause. If Nginx or Apache is not running, nothing is listening on ports 80 or 443, and Cloudflare’s connection attempt is refused.
systemctl status nginx
systemctl status httpd # for Apache
If the service is stopped, check the error log for why it stopped and restart it:
systemctl start nginx
journalctl -u nginx --no-pager -n 50
Common reasons Nginx stops: a configuration syntax error after a change, a certificate file that was deleted or moved, a port conflict with another process, or the server running out of memory and the OOM killer terminating Nginx.
The server is offline. The server itself is down, rebooting, or unreachable. If you cannot SSH into the server, the issue is at the infrastructure level. Check your hosting provider’s status page or contact their support.
Firewall blocking port 80/443. A firewall rule is blocking inbound connections on the ports Cloudflare uses to reach your server. This can happen after a firewall rule change, a security hardening script that locks down ports too aggressively, or a cloud provider’s security group misconfiguration.
# Check if anything is listening on port 443
ss -tlnp | grep ':443'
# Check firewall rules
iptables -L -n | grep -E '80|443'
If
ss
shows nothing listening on 443, the web server is not running or is configured on a different port. If
ss
shows Nginx listening but iptables is blocking the port, the firewall needs adjustment.
Cloudflare is trying the wrong port. By default, Cloudflare connects to your origin on port 443 for HTTPS and port 80 for HTTP. If your origin server runs on a non-standard port, Cloudflare needs to be configured accordingly. Check the origin settings in your Cloudflare dashboard.
DNS pointing to the wrong IP. If the A record in Cloudflare points to an IP address that is not your server (an old IP from a previous host, a load balancer that was decommissioned, or a typo), Cloudflare is connecting to the wrong machine. Verify the IP in Cloudflare’s DNS settings matches your actual server IP:
# Check what IP Cloudflare is using
dig +short example.com @1.1.1.1
# This shows the Cloudflare proxy IP. Check the A record in Cloudflare's DNS dashboard instead.
Server overloaded. If the server is under heavy load (CPU at 100%, memory exhausted, disk full), it may not be able to accept new connections even though the web server process is technically running. The TCP backlog fills up and new connections time out.
How to diagnose
Can you reach the server at all?
# Try to connect to the origin directly
curl -I -H "Host: example.com" --connect-timeout 10 https://YOUR_SERVER_IP/
If this times out, the server is unreachable from the internet. If it immediately refuses the connection, nothing is listening on port 443. If it returns a valid response, the origin is fine and the issue is Cloudflare’s configuration or DNS.
Check from the server itself. If you can SSH in:
# Is the web server running?
systemctl status nginx
# Is it listening on the right port?
ss -tlnp | grep -E ':80|:443'
# Is the server overloaded?
uptime
free -m
df -h
Check Cloudflare’s perspective. In the Cloudflare dashboard, go to Analytics & Logs > Instant Logs (or check the error analytics) to see exactly when the 521 errors started and whether they affect all requests or only some.
How to fix
- Web server stopped: Restart it (
systemctl start nginx), then check why it stopped and fix the root cause - Server offline: Contact your hosting provider or check your cloud provider’s console
- Firewall blocking: Allow Cloudflare’s IP ranges on ports 80 and 443
- Wrong DNS: Update the A record in Cloudflare’s DNS to your correct server IP
- Server overloaded: Identify what is consuming resources (
top,htop,iotop) and address it. A sudden spike in traffic, a runaway PHP process, or a full disk are common causes
Cloudflare SSL modes and how they cause 520/521#
Cloudflare’s SSL/TLS encryption mode determines how Cloudflare connects to your origin. Misconfiguring this is one of the most common causes of both 520 and 521 errors.
Off: No encryption. Cloudflare connects to your origin over HTTP on port 80. If your origin forces HTTPS and redirects HTTP requests, Cloudflare may get caught in a redirect loop or receive a response it cannot process (520).
Flexible: Cloudflare serves HTTPS to visitors but connects to your origin over HTTP on port 80. This works if your origin does not have SSL configured, but it means traffic between Cloudflare and your origin is unencrypted. If your origin forces HTTPS, you get redirect loops. If your origin only listens on 443 and not 80, Cloudflare cannot connect (521).
Full: Cloudflare connects to your origin over HTTPS on port 443 but does not validate the certificate. This works with self-signed certificates and expired certificates. If your origin does not have SSL configured at all and nothing is listening on port 443, you get 521.
Full (Strict): Cloudflare connects over HTTPS on port 443 and validates the certificate. The certificate must be valid, not expired, and must cover the hostname. This is the most secure option and the one you should use if you have a valid SSL certificate (including Cloudflare’s free Origin CA certificates).
The most common misconfiguration: setting the SSL mode to “Full” or “Full (Strict)” when the origin does not have SSL configured. Cloudflare tries to connect on port 443, nothing is listening there, and you get 521. Either install SSL on the origin or change the mode to “Flexible” (less secure but functional).
When you see 520/521 without Cloudflare#
If your site is not behind Cloudflare and you are seeing 520 or 521 errors, they are coming from a different source. Some other reverse proxies and CDNs use custom status codes in the 5xx range for similar purposes. Check which service sits in front of your origin and consult their documentation for what their specific status codes mean.
The standard HTTP specification does not define 520 or 521. They are unofficial extensions. The diagnostic approach is the same regardless: identify which layer is returning the error, check if the origin is reachable from that layer, and fix the connectivity or configuration issue.
Preventing 520 and 521 errors#
Whitelist Cloudflare IPs proactively. When you first set up Cloudflare, add their IP ranges to your firewall’s allowlist before switching DNS. Cloudflare publishes their IP ranges and updates them periodically. Some hosting control panels have a Cloudflare integration that handles this automatically.
Use Cloudflare Origin CA certificates. Cloudflare provides free origin certificates that last 15 years. Install one on your server and set the SSL mode to “Full (Strict).” This eliminates SSL mismatch issues between Cloudflare and your origin.
Monitor your origin server independently. Do not rely on Cloudflare to tell you your origin is down. Set up a monitoring check that connects directly to your origin server’s IP (bypassing Cloudflare) so you know immediately when the origin goes down, not just when visitors start seeing 521 errors.
Keep PHP-FPM healthy. Most 520 errors on WordPress sites trace back to PHP-FPM problems. Monitor PHP-FPM worker utilization, watch for out-of-memory kills in the system log, and make sure
pm.max_children
is set appropriately for your server’s available memory. See What is PHP-FPM and how does it work for a detailed explanation of PHP-FPM tuning.
Set up fail2ban exceptions. If you use fail2ban for brute force protection (see brute force attacks on WordPress), make sure Cloudflare’s IP ranges are in the ignore list. Without this exception, a bot attack through Cloudflare can cause fail2ban to ban Cloudflare’s IP, which takes your entire site offline.
Quick reference#
| Error | Meaning | Most common cause | First diagnostic step |
|---|---|---|---|
| 520 | Unknown error from origin | PHP-FPM crash or firewall blocking Cloudflare | Check origin error log and PHP-FPM status |
| 521 | Web server is down | Nginx/Apache not running or firewall blocking ports |
systemctl status nginx
and
ss -tlnp
|
| 520 intermittent | Occasional unknown response | Application timeout or resource exhaustion | Check PHP error log for timeouts and memory kills |
| 521 after DNS change | Can not connect to origin | A record pointing to wrong IP | Verify IP in Cloudflare DNS settings |
| 520 after SSL change | Malformed response from origin | SSL mode mismatch between Cloudflare and origin | Check Cloudflare SSL/TLS mode vs origin SSL config |
For standard Nginx errors that you might see without Cloudflare in the chain, see 503 Service Temporarily Unavailable, 502 Bad Gateway, and 504 Gateway Timeout. For the full list of WordPress errors, see How to fix the most common WordPress errors.