Skip to content
← All articles

Cloudflare 522 Connection Timed Out Fix

Short answer. Error 522 means Cloudflare found your origin server but the TCP connection to it did not complete in time. Cloudflare waits for the origin and, getting no answer, returns 522. Causes: an overloaded or down origin, a firewall blocking Cloudflare IP ranges, an A record pointing to the wrong host, or a server that takes too long to establish connections. Start by confirming the origin responds when contacted directly.

What 522 is and where the break is

522 is a Cloudflare-level error, not your application's. The chain is: browser → Cloudflare → origin. On the last hop Cloudflare opens a TCP connection to your server and waits. If the connection is not established within the allotted time (the handshake never finishes), Cloudflare returns 522.

522 is a TCP connection timeout between Cloudflare and the origin. 504 is an application-response timeout. Don't confuse them: 522 means "couldn't reach the server," not "the server thought too long."

Five causes of 522

CauseFix
Firewall blocks Cloudflare IPsAllow the cloudflare.com/ips ranges in iptables/ufw/security group
Origin overloaded (no free workers)Raise limits, check CPU/RAM, scale out
Web server not listening on the right portConfirm nginx/Apache listens on 80/443
Wrong A record (Cloudflare hits the wrong host)Reconcile grey/orange cloud and the real origin IP
Keepalive too high / backlog too lowServer tuning, raise somaxconn

Step 1. Test the origin directly

Bypass Cloudflare and hit the real origin IP:

# Find the real origin IP (from the DNS panel, grey cloud):
# say origin = 203.0.113.10

# Does the origin respond at all:
curl -Iv --resolve example.com:443:203.0.113.10 https://example.com

# Plain TCP reachability to 443:
curl -Iv --connect-timeout 10 https://203.0.113.10

# Measure connect time:
curl -o /dev/null -s -w "connect:%{time_connect} ttfb:%{time_starttransfer} total:%{time_total}\n" https://203.0.113.10

If the origin does not respond even directly, the problem is not Cloudflare — it is your server or firewall.

Step 2. Open the firewall for Cloudflare

The most common cause is a firewall on the origin dropping Cloudflare IPs. Allow the official ranges:

# Get the current ranges:
curl -s https://www.cloudflare.com/ips-v4

# Example for ufw (repeat for each range):
sudo ufw allow from 173.245.48.0/20 to any port 443
sudo ufw allow from 103.21.244.0/22 to any port 443
# ... and the rest from the list
If you use fail2ban or a cloud security group, make sure the Cloudflare ranges are whitelisted. Banning one Cloudflare IP looks like a 522 to a subset of visitors.

Step 3. Check origin load

  • Inspect CPU and RAM: top, htop, free -m.
  • Check whether nginx/PHP-FPM workers are exhausted (logs).
  • Raise net.core.somaxconn and backlog under high traffic.
  • Check connection limits in your hosting panel.

Step 4. Reconcile the A record

If the A record points to an old or wrong IP, Cloudflare contacts the wrong host and times out. Check the A record and confirm it points to the current origin.

How enterno.io helps

The enterno.io HTTP checker and SSL inspector diagnose whether the origin responds independently of Cloudflare, which immediately shows whose side the problem is on. Uptime monitoring at a 1-minute interval (30 seconds on higher plans) catches short 522s that a manual check misses, and multi-region checks (RU/EU/US) reveal whether the origin is down globally or only from one location. Alerts go to Telegram, Slack, email, and webhook. enterno.io warns; the Cloudflare and origin config is fixed by the owner.

FAQ

Is 522 Cloudflare's problem or mine?

Almost always yours: Cloudflare could not establish a connection to your origin. Test the origin directly with curl --resolve.

How is 522 different from 521?

521 (Web Server Is Down) means the origin actively refused the connection. 522 means the connection never established (timeout). 521 usually means "service not running," 522 means "firewall/overload/network."

Why does 522 appear intermittently?

Usually load spikes or an unstable firewall/fail2ban. Continuous monitoring at short intervals helps catch the moment.

Will raising the Cloudflare timeout help?

Paid plans have a timeout setting, but that treats the symptom. The root cause is a slow or unreachable origin.

Next step: Check the origin response with the HTTP checker, then the SSL inspector. See also diagnosing intermittent downtime and set up monitoring.

Check your website right now

Check your site's HTTP status →
More articles: HTTP
HTTP
HTTP Headers: The Complete Guide
10.03.2025 · 168 views
HTTP
HTTP Redirect Chains and Their Impact on SEO
15.04.2026 · 95 views
HTTP
HTTP 500 Internal Server Error: What It Means and How to Fix
15.04.2026 · 119 views
HTTP
ERR_TOO_MANY_REDIRECTS Fix
23.06.2026 · 24 views