HTTP Error Codes
522 Connection Timed Out
HTTP 522 (Cloudflare)
Cloudflare couldn't establish a TCP connection to your origin server within 15 seconds.
What It Means
522 is a Cloudflare-specific error code. It means Cloudflare tried to connect to your origin server but couldn't establish a connection at all. This is different from a timeout waiting for a response (that's 524).
What happens:
User → Cloudflare → [Connection attempt to Origin] → No response → 522
Common Causes
- Origin server is down — Your server isn't running at all
- Firewall blocking Cloudflare — Your server's firewall is blocking Cloudflare's IP ranges
- Wrong origin IP in Cloudflare — DNS is pointing to the wrong server
- Port not open — Web server not listening on port 80/443
- Server overloaded — Can't accept new connections
- Network routing issues — Path between Cloudflare and origin is broken
How to Debug
- Check if origin is running — Can you access it directly (bypassing Cloudflare)?
- Check firewall rules — Are Cloudflare IPs allowed?
- Verify Cloudflare DNS settings — Is the origin IP correct?
- Check web server status — Is Nginx/Apache running?
- Test from multiple locations — Is it a regional network issue?
Allow Cloudflare IPs
Cloudflare publishes their IP ranges. Your firewall must allow these:
# Get current Cloudflare IPs
curl https://www.cloudflare.com/ips-v4
curl https://www.cloudflare.com/ips-v6
# UFW example (Ubuntu)
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
sudo ufw allow from $ip to any port 443
done
# iptables example
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
iptables -A INPUT -p tcp -s $ip --dport 443 -j ACCEPT
doneQuick Checks
# Check if web server is running
systemctl status nginx
systemctl status apache2
# Check if ports are open
ss -tlnp | grep -E ':80|:443'
netstat -tlnp | grep -E ':80|:443'
# Test connection to your origin directly
curl -v http://your-origin-ip/
curl -vk https://your-origin-ip/
# Check Cloudflare DNS settings
dig +short your-domain.com522 vs Other Cloudflare Errors
Prevention
- Keep Cloudflare IPs allowlisted (they update their ranges occasionally)
- Monitor your origin server directly, not just through Cloudflare
- Set up health checks in Cloudflare load balancer
- Use a failover origin if your primary goes down
- Subscribe to Cloudflare status updates
Catch 522 errors before your users do.
Monitor both your origin server and the Cloudflare-fronted URL. UptimeSignal checks every 1-5 minutes and alerts you instantly when connections fail. Free for 25 endpoints.
Start monitoring free →How to Monitor for 522 Errors
Monitor your origin server directly (bypassing Cloudflare) with UptimeSignal to catch outages before users see 522 errors. Also monitor the Cloudflare-fronted URL to detect CDN-layer issues. This dual approach pinpoints whether problems are at the origin or the proxy. See also: 504 Gateway Timeout, Connection Timeout.
Frequently Asked Questions
What causes a 522 Connection Timed Out error?
How do I fix a 522 error?
htop.What is the difference between 522 and 524 errors?
How do I whitelist Cloudflare IPs?
ufw allow from CIDR to any port 443. For iptables: -A INPUT -s CIDR -p tcp --dport 443 -j ACCEPT. Update regularly as Cloudflare adds new ranges. Consider Authenticated Origin Pulls for additional security.Is a 522 error caused by Cloudflare or my server?
curl -v https://your-origin-ip. If it works directly but fails through Cloudflare, check your firewall allows Cloudflare IPs.