• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Fixing Error 521: Web server is down (plesk + cloudflare)

A

Ale

New Pleskian
Current setup: DigitalOcean>Droplet>Plesk>Domain>Wordpress

Cloudflare
- DNS
- A Domain IP, orange cloud
- CNAME www Domain, orange cloud
- Crypto > SSL > Full

Few times a day I am getting “Error 521 - Web server is down” when editing things inside Wordpress, the site would restore itself after some time.

Any ideas on how to fix that?
 
AusWeb said:
Are you running Web Application Firewall (ModSecurity) and Fail2Ban?

To me this sounds like you are getting blocked while editing WP. This is common, False Positive from ModSecurity and get banned by Fail2Ban.
Click to expand...

It can't be WAF! I also had the same problem appearing randomly in some sites during the last month. I finally removed Cloudflare from the affected sites as i couldn't pinpoint what caused it.

According to Cloudflare: "A 521 error happens when we are unable to make a TCP connection to your origin server. Specifically, Cloudflare tried to connect to your origin server on port 80 or 443, but received a connection refused error. This is often caused by security or firewall software and happens if the origin server has directly refused Cloudflare’s proxy request."

WAF would return a 403 error or something after a successful connection! It can't refuse TCP connections. Also note that Apache is behind Nginx - it doesn't connect directly to the outer world.

When i had the same problem i checked everything! I checked all the logs (server logs and ModSecurity logs) and there no trace of the connection/request. Also tried to disable firewall and double checked against the Cloudflare IP ranges to ensure that i don't block the incoming connection. I also checked Fail2Ban but it blocked only connections on SSH port and none of those was insede the Cloudflare IP range. So currently i think it could be a Cloudflare issue. :(
 
AusWeb said:
Yes, It can be WAF + Fail2Ban.

Disable the Fail2Ban and check the result.
Click to expand...
Hi , it's happen to me too when i check cloudflare is already listed to failban by (ModSecurity)
So what i did is to whitelist Cloudflare IP , Now i don't get error 521
 
I am having the same problems, not only error 521 but error 524 as well

how can I whitelist all CloudFlare IPs in Plesk?

www.cloudflare.com

IP Ranges

This page is intended to be the definitive source of Cloudflare’s current IP ranges.
www.cloudflare.com www.cloudflare.com

will that make fail2ban "blind" or should fail2ban process real IPs from visitors (provided by CloudFlare)
 
I'm having the same problem, is it safe to whitelist all Cloudflare IPs in Fail2Ban?
Is there any downside in terms of security?
 
Kapnos said:
I'm having the same problem, is it safe to whitelist all Cloudflare IPs in Fail2Ban?
Is there any downside in terms of security?
Click to expand...
Yes
No
* You are trusting cloudflare anyway, or you wouldn't use them.
* Any ban would overreach massively since you have no way to tell legit access from scriptkiddies.
If you don't like that, don't use cloudflare as the whole point is that all connections are proxied over their machines.
(You can, however, block almost all web access EXCEPT cloudflare. But you should leave some way of access open in case cloudflare is down or something.)
 
I had kinda same issue, some images won't load and return 521 error, and some js-s. I have added all the IPs of Cloudflare to whitelist of Fail2ban and everything seems fine now.. that was spooky

Upd: Now my server start returning 521 for whole website unpredictably. I switch off fail2ban and everything is ok. I can rely on my insane passwords and hidden login pages I guess
 
Last edited:
Try adding the following line to nginx configuration:

proxy_hide_header Upgrade;

The error might be caused due to invalid headers.
 
You must log in or register to reply here.

Similar threads

kaw.one
Question (VPS) Cloudflare, Gmail and Other Plesk Panel 8443 (2 minutes - slow read)
Replies
1
Views
597
kaw.one
kaw.one
famous
Resolved DNS Syncing from Plesk Obsidian to Digital Ocean corrupting today with domain name listed twice.
2
Replies
20
Views
3K
AYamshanov
AYamshanov
Quinten
Resolved Reverse Proxy server (Nginx) won't start after renewing a domains certificate
Replies
7
Views
6K
Quinten
Quinten
C
Issue "New configuration files for the Apache web server were not created due to the errors in configuration templates"
Replies
4
Views
3K
The 8th
The 8th
H
Issue Mail server Reverse DNS Resolution Failed (help)
Replies
1
Views
2K
IgorG
IgorG
Back
Top