• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Fixing Error 521: Web server is down (plesk + cloudflare)

Ale

New Pleskian
Current setup: DigitalOcean>Droplet>Plesk>Domain>Wordpress

Cloudflare
- DNS
- A Domain IP, orange cloud
- CNAME www Domain, orange cloud
- Crypto > SSL > Full

Few times a day I am getting “Error 521 - Web server is down” when editing things inside Wordpress, the site would restore itself after some time.

Any ideas on how to fix that?
 
Are you running Web Application Firewall (ModSecurity) and Fail2Ban?

To me this sounds like you are getting blocked while editing WP. This is common, False Positive from ModSecurity and get banned by Fail2Ban.

It can't be WAF! I also had the same problem appearing randomly in some sites during the last month. I finally removed Cloudflare from the affected sites as i couldn't pinpoint what caused it.

According to Cloudflare: "A 521 error happens when we are unable to make a TCP connection to your origin server. Specifically, Cloudflare tried to connect to your origin server on port 80 or 443, but received a connection refused error. This is often caused by security or firewall software and happens if the origin server has directly refused Cloudflare’s proxy request."

WAF would return a 403 error or something after a successful connection! It can't refuse TCP connections. Also note that Apache is behind Nginx - it doesn't connect directly to the outer world.

When i had the same problem i checked everything! I checked all the logs (server logs and ModSecurity logs) and there no trace of the connection/request. Also tried to disable firewall and double checked against the Cloudflare IP ranges to ensure that i don't block the incoming connection. I also checked Fail2Ban but it blocked only connections on SSH port and none of those was insede the Cloudflare IP range. So currently i think it could be a Cloudflare issue. :(
 
Yes, It can be WAF + Fail2Ban.

Disable the Fail2Ban and check the result.
Hi , it's happen to me too when i check cloudflare is already listed to failban by (ModSecurity)
So what i did is to whitelist Cloudflare IP , Now i don't get error 521
 
I am having the same problems, not only error 521 but error 524 as well

how can I whitelist all CloudFlare IPs in Plesk?


will that make fail2ban "blind" or should fail2ban process real IPs from visitors (provided by CloudFlare)
 
I'm having the same problem, is it safe to whitelist all Cloudflare IPs in Fail2Ban?
Is there any downside in terms of security?
 
I'm having the same problem, is it safe to whitelist all Cloudflare IPs in Fail2Ban?
Is there any downside in terms of security?
Yes
No
* You are trusting cloudflare anyway, or you wouldn't use them.
* Any ban would overreach massively since you have no way to tell legit access from scriptkiddies.
If you don't like that, don't use cloudflare as the whole point is that all connections are proxied over their machines.
(You can, however, block almost all web access EXCEPT cloudflare. But you should leave some way of access open in case cloudflare is down or something.)
 
I had kinda same issue, some images won't load and return 521 error, and some js-s. I have added all the IPs of Cloudflare to whitelist of Fail2ban and everything seems fine now.. that was spooky

Upd: Now my server start returning 521 for whole website unpredictably. I switch off fail2ban and everything is ok. I can rely on my insane passwords and hidden login pages I guess
 
Last edited:
Try adding the following line to nginx configuration:

proxy_hide_header Upgrade;

The error might be caused due to invalid headers.
 
Back
Top