Skip to content
cloudflare error-codes troubleshooting uptime-monitoring cdn 5xx

Cloudflare 520–526 Errors Explained: Causes and Fixes

Webalert Team
June 23, 2026
6 min read

Cloudflare 520–526 Errors Explained: Causes and Fixes

You put Cloudflare in front of your site, and one day visitors start seeing a branded error page: "Web server is returning an unknown error" with a big 520, or "Connection timed out" with a 522. These aren't the standard 500/502/503/504 errors your application generates — they're Cloudflare-specific codes in the 520–526 range, and they all mean the same broad thing: Cloudflare couldn't get a good response from your origin server. The visitor sees a Cloudflare page, but the problem is almost always behind it, at your origin or in the network between.

This guide explains what each of the 520–526 codes means, the most common causes, and how to diagnose and fix them.

Why Cloudflare Has Its Own 5xx Codes

When you proxy your site through Cloudflare, every request goes visitor → Cloudflare → your origin server → Cloudflare → visitor. Cloudflare needs a way to tell you which leg failed. A normal 502 or 503 is a response your origin (or a proxy) generated. The 52x codes are different: they're generated by Cloudflare itself when it tried to reach your origin and something went wrong — the origin was unreachable, too slow, dropped the connection, or presented a broken TLS certificate.

That distinction matters for debugging: a 52x error almost never means Cloudflare is down. It means Cloudflare is up and telling you it couldn't talk to your origin properly. The fix is at the origin or in the path to it.

What Each Code Means

520 — Web server returns an unknown error. A catch-all. Cloudflare got an empty, unexpected, or malformed response from your origin — a connection reset, no response at all, or a response that violates HTTP. Often caused by the origin crashing, killing the connection, or returning too-large headers.

521 — Web server is down. Cloudflare's connection to your origin was refused. The server actively rejected it — the web server process is stopped, the port isn't listening, or a firewall is blocking Cloudflare's IPs. (This is the connection refused case, surfaced through Cloudflare.)

522 — Connection timed out. Cloudflare opened a connection but the origin didn't complete the TCP handshake in time. Usually a firewall dropping packets, an overloaded server too busy to accept connections, or Cloudflare's IP ranges not allowed through.

523 — Origin is unreachable. Cloudflare can't route to your origin at all — typically a bad DNS record pointing at the wrong IP, or a network/routing problem between Cloudflare and the host.

524 — A timeout occurred. Cloudflare connected and sent the request, but the origin didn't return a complete response within the timeout (100 seconds on most plans). The classic sign of a long-running request — a slow query, a heavy report, or a stuck process. The connection was fine; the work took too long.

525 — SSL handshake failed. Cloudflare couldn't complete the TLS handshake with your origin. Misconfigured or missing origin certificate, a cipher mismatch, or an SSL mode in Cloudflare (Full / Full Strict) that your origin can't satisfy.

526 — Invalid SSL certificate. Cloudflare reached your origin over TLS but couldn't validate its certificate — expired, self-signed, wrong hostname, or an incomplete chain — while in Full (Strict) mode.

How to Diagnose and Fix Them

Group the codes by which leg failed and the fixes follow naturally:

  • 521, 522, 523 (can't connect / reach): Confirm your origin web server is running and listening on the right port. Make sure your firewall and security groups allow Cloudflare's IP ranges. Check that your DNS records point at the correct origin IP. Verify the server isn't so overloaded it can't accept new connections.
  • 524 (connected but too slow): This is a performance problem, not a connectivity one. Find the slow endpoint — a long database query, an external API call, or a stuck worker — and make it finish faster or move it to a background job. Move long-running work off the request path entirely.
  • 520 (unknown): Check origin server logs for crashes, killed processes, or oversized headers. Disable any module that might be returning malformed responses, and look for the origin resetting connections under load.
  • 525, 526 (TLS): Ensure your origin has a valid, unexpired certificate with a complete chain, matching the hostname. Confirm your Cloudflare SSL/TLS mode matches what the origin can serve — and keep an eye on certificate expiry so 526s don't appear the day a cert lapses.

The common thread: the visitor sees Cloudflare, but the fault is at your origin or the path to it. Always start your investigation there.

How Webalert Helps

Cloudflare's 52x page tells a visitor something broke, but it won't page you, and it won't tell you which origin is failing or for how long. That's where outside-in monitoring comes in:

  • Catch 52x errors the moment they appear, from outside your network, so you find out before customers do instead of from a support ticket.
  • Distinguish "Cloudflare can't reach origin" from a genuine app error by monitoring both the public URL and origin health, narrowing the failed leg fast.
  • Certificate expiry alerts that warn you days ahead, so a lapsed origin cert never turns into a wave of 525/526 errors.
  • Latency tracking that surfaces the creeping slow responses which eventually become 524 timeouts — early warning before the cliff.
  • Confirmation of recovery once you've fixed the origin, verifying real requests succeed again.

Webalert can't restart your origin, but it tells you the instant Cloudflare starts throwing 52x — and which side of the proxy to look at.

Summary

Cloudflare's 520–526 errors are generated by Cloudflare when it can't get a proper response from your origin — they almost never mean Cloudflare itself is down. 521/522/523 are connectivity failures (server down, connection timed out, origin unreachable): check that the origin is running, Cloudflare's IPs are allowed, and DNS points to the right place. 524 is the origin connecting fine but responding too slowly — a performance problem to fix by speeding up or backgrounding long work. 520 is a catch-all for malformed or empty origin responses. 525/526 are TLS failures — fix the origin certificate, chain, and Cloudflare SSL mode.

In every case the visitor sees a Cloudflare page but the fault is behind it, so debug at the origin. Pair Cloudflare with outside-in monitoring so you catch 52x errors immediately, know which leg failed, and get warned about the slow responses and expiring certificates that cause them.

Catch origin failures before your customers do

Start monitoring with Webalert ->

See features and pricing. No credit card required.

Monitor your website in under 60 seconds — no credit card required.

Start Free Monitoring

Written by

Webalert Team

The Webalert team is dedicated to helping businesses keep their websites online and their users happy with reliable monitoring solutions.

Related Articles

5xx Server Errors Explained: 500, 502, 503, 504 Fix Guide

Diagnose and fix HTTP 5xx server errors. What 500, 502, 503, 504 and Cloudflare 520-526 mean, common causes per code, and how to monitor each.

May 27, 2026 · 16 min read

Cloudflare Monitoring: How to Detect Origin Outages Behind a CDN

Your CDN can mask partial failures. Learn how to monitor Cloudflare-routed websites and detect origin outages before customers report them.

March 11, 2026 · 6 min read

Kubernetes CrashLoopBackOff: Causes and How to Fix It

What CrashLoopBackOff means, the common reasons a pod keeps restarting, and a step-by-step way to diagnose and fix the crash loop with kubectl.

June 18, 2026 · 6 min read
Back to all posts

Ready to Monitor Your Website?

Start monitoring for free with 3 monitors, 10-minute checks, and instant alerts.

Start Free Monitoring