Cloudflare 520-530 Errors: Complete Fix Guide
Cloudflare uses custom HTTP status codes in the 520-530 range to indicate problems between Cloudflare’s edge servers and your origin server. These errors are not part of the standard HTTP specification — they are Cloudflare-specific. This guide covers every Cloudflare error code, what causes it, and how to fix it.
Understanding Cloudflare Error Codes
When you see a 5xx error on a Cloudflare-protected site, it could be a standard HTTP error or a Cloudflare-specific one. Cloudflare errors always appear with a Cloudflare-branded error page that includes a “Ray ID” for debugging.
Error 520: Web Server Returned an Unknown Error
What It Means
The origin server returned an empty, unknown, or unexpected response to Cloudflare.
Common Causes
- Origin server crashed or returned an empty response
- Response headers exceed Cloudflare’s limit (32 KB)
- Origin returned a response without HTTP status code
- PHP or application errors causing empty response
Fix
# Test origin server directly (bypass Cloudflare)
curl -v --resolve example.com:443:ORIGIN_IP https://example.com
Check if origin responds properly
curl -I http://ORIGIN_IP -H "Host: example.com"
Server-side fixes:
- Check application error logs
- Ensure the application returns valid HTTP responses
- Increase PHP
memory_limitandmax_execution_time - Check that response headers are under 32 KB
Error 521: Web Server Is Down
What It Means
Cloudflare cannot establish a TCP connection to your origin server. The origin is refusing connections.
Common Causes
- Web server (Nginx/Apache) is not running
- Firewall blocking Cloudflare IPs
- Origin server is down
- Wrong origin IP in Cloudflare DNS settings
Fix
# Check if web server is running
systemctl status nginx
systemctl status apache2
Check if port 80/443 is open
ss -tlnp | grep -E "80|443"
Whitelist Cloudflare IP ranges in firewall
Cloudflare IPv4: https://www.cloudflare.com/ips-v4
Example with UFW:
ufw allow from 173.245.48.0/20 to any port 443
ufw allow from 103.21.244.0/22 to any port 443
(Add all Cloudflare IP ranges)
Error 522: Connection Timed Out
What It Means
Cloudflare’s TCP handshake with the origin server timed out. The SYN packet was sent but no SYN-ACK was received within 15 seconds.
Common Causes
- Origin server overloaded
- Firewall dropping (not rejecting) packets from Cloudflare
- Incorrect origin IP in Cloudflare DNS
- Network routing issues between Cloudflare and origin
Fix
# Test TCP connectivity to origin
telnet ORIGIN_IP 443
nc -zv ORIGIN_IP 443
Check server load
uptime
top -bn1 | head -5
Ensure Cloudflare IPs are not rate-limited
iptables -L -n | grep -i drop
Cloudflare dashboard fixes:
- Verify the origin IP in DNS settings is correct
- Check if “Proxy status” (orange cloud) is enabled
- Increase Origin Connection Timeout in Cloudflare settings
Error 523: Origin Is Unreachable
What It Means
Cloudflare could not reach the origin server at all. DNS resolution for the origin failed.
Common Causes
- Origin server DNS records are misconfigured
- Origin IP address has changed
- Origin server is completely offline
- ISP or hosting provider network outage
Fix
# Verify DNS resolution
dig example.com A
nslookup example.com
Check if origin IP is reachable
ping ORIGIN_IP
traceroute ORIGIN_IP
Error 524: A Timeout Occurred
What It Means
Cloudflare made a TCP connection to the origin, but the origin did not return an HTTP response within 100 seconds (Enterprise: configurable up to 600 seconds).
Common Causes
- Long-running server processes
- Slow database queries
- Origin server processing a large request
- Application deadlock
Fix
# Identify slow processes on origin
ps aux --sort=-pcpu | head -10
Check for slow database queries
mysql -e "SHOW FULL PROCESSLIST;" | grep -v Sleep
Solutions:
- Optimize slow application code and database queries
- Move long-running tasks to background workers
- Upgrade to Cloudflare Enterprise for longer timeout (up to 600s)
- Use Cloudflare Workers to handle timeout-prone endpoints
Error 525: SSL Handshake Failed
What It Means
The SSL/TLS handshake between Cloudflare and the origin server failed. Cloudflare could not negotiate a secure connection.
Common Causes
- Origin does not have a valid SSL certificate
- Origin does not support the SSL/TLS protocols Cloudflare uses
- SSL certificate on origin has expired
- Cloudflare SSL mode mismatch
Fix
# Check origin SSL certificate
openssl s_client -connect ORIGIN_IP:443 -servername example.com
Check certificate expiry
echo | openssl s_client -connect ORIGIN_IP:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
Check supported TLS versions
nmap --script ssl-enum-ciphers -p 443 ORIGIN_IP
Cloudflare dashboard fixes:
- Set SSL/TLS mode to “Full” (not “Full (Strict)”) if using self-signed certificate
- Install a Cloudflare Origin Certificate on your server
- Ensure origin supports TLS 1.2 or higher
Error 526: Invalid SSL Certificate
What It Means
Cloudflare could not validate the SSL certificate on the origin server. This only occurs when SSL mode is set to “Full (Strict).”
Common Causes
- Self-signed certificate on origin
- Expired SSL certificate
- Certificate does not match the hostname
- Missing intermediate certificates
Fix
# Install Cloudflare Origin Certificate (recommended)
Generate in Cloudflare Dashboard > SSL/TLS > Origin Server
Or install a proper certificate
certbot --nginx -d example.com
Check certificate chain
openssl s_client -connect ORIGIN_IP:443 -servername example.com -showcerts
Error 527: Railgun Error
What It Means
A problem with Cloudflare’s Railgun connection. Railgun is a WAN optimization technology (deprecated in favor of Argo Tunnel).
Fix
- Check Railgun listener is running on origin
- Verify Railgun token matches between Cloudflare and origin
- Consider migrating to Cloudflare Tunnel (replaces Railgun)
Error 530: Origin DNS Error
What It Means
A DNS resolution error occurred combined with a 1xxx error. This is often paired with a Cloudflare 1016 or 1034 error.
Fix
- Check your Cloudflare DNS records
- Ensure CNAME targets resolve correctly
- Verify the origin hostname is valid and resolvable
Quick Reference Table
| Error | Name | Most Likely Fix |
|---|---|---|
| 520 | Unknown Error | Check origin application logs |
| 521 | Server Down | Start web server, whitelist Cloudflare IPs |
| 522 | Connection Timed Out | Fix firewall, check server load |
| 523 | Origin Unreachable | Verify origin IP in DNS settings |
| 524 | Timeout | Optimize slow endpoints, increase timeouts |
| 525 | SSL Handshake Failed | Install valid SSL cert on origin |
| 526 | Invalid SSL Certificate | Install Cloudflare Origin Certificate |
| 527 | Railgun Error | Migrate to Cloudflare Tunnel |
| 530 | DNS Error | Fix DNS records in Cloudflare |
Debugging with Cloudflare Ray ID
Every Cloudflare error page includes a Ray ID. Use it to investigate:
- Log into Cloudflare Dashboard
- Go to Analytics & Logs > Instant Logs
- Filter by the Ray ID
- Review the request details, origin response, and timing
# Include CF-RAY in cURL response
curl -I https://example.com 2>&1 | grep -i "cf-ray"
FAQ
Are Cloudflare 5xx errors the same as standard HTTP 5xx errors?
No. Codes 520-530 are Cloudflare-specific and indicate issues between Cloudflare and your origin server. Standard 5xx codes (500, 502, 503, 504) can also pass through Cloudflare from your origin.
How do I bypass Cloudflare to test my origin directly?
Use cURL with --resolve to connect directly to your origin IP: curl --resolve example.com:443:ORIGIN_IP https://example.com
Can I customize Cloudflare error pages?
Yes. On Business and Enterprise plans, you can create custom error pages in the Cloudflare dashboard under Custom Pages.
Why do I see Cloudflare errors when my origin is working fine?
Cloudflare may not be able to reach your origin even when it works from other locations. Common causes include firewall rules blocking Cloudflare IPs or DNS misconfiguration in Cloudflare.