A 521 error occurs because the origin web server refused the connection from Cloudflare. This means we tried to connect to your origin on port 80 or 443 but received a 'connection refused' error.
This commonly happens under two conditions:
The origin web server process (e.g. Apache or Nginx) isn't running, or has crashed. You should check that your web server is running normally. You may also wish to check your server's error logs to see what caused this. If you are not sure how to do this, or don't have access to your logs, your host should be able to advise you.
Something on the web server or hosting provider's network is blocking Cloudflare's requests. Since Cloudflare acts as a reverse proxy, all connections to your server come from a Cloudflare IP. Since the same amount of traffic now comes from a smaller number of IPs, server-side security solutions can mistake the increase in connections from this smaller set of IPs as an attack, when they are legitimate. This leads to some of our IPs being blocked or rate-limited.
It's a good idea to ensure that all of our IP ranges are whitelisted in your server's firewall or any security software that you might be running. Our IP ranges can be found here:
In my case I went to https://www.cloudflare.com/ips-v4 and obtained the CloudFlare IP addresses that should be whitelisted by my fail2ban configuration in
/etc/fail2ban/jail.local, as per http://www.fail2ban.org/wiki/index.php/Whitelist
After adding those IP addresses to the
ignoreip value, I restarted fail2ban with