Cloudflare error 522 is an error code indicating that a server cannot access the target webpage. The 522 code is also referred to as the connection timeout error.
This article explains what the error is, why it occurs, and how to fix the Cloudflare 522 error.
What is a 522 Error?
Cloudflare is a content delivery network (CDN) service that accelerates and secures website connections. However, when a website's origin server fails to respond within a certain timeframe, users encounter an error code called Cloudfare 522 error. This error code is often accompanied by the message Connection timed out or Cloudflare error 522.
The 522 error occurs when the Transmission Control Protocol (TCP) handshake between the web server and a website that uses Cloudflare as the CDN fails.
These are the steps in this three-way handshake:
1. Cloudflare initiates a connection request by sending a packet with the SYN (Synchronize) flag to the origin server.
2. The origin server receives the packet and acknowledges the connection request by sending the SYN-ACK packet to Cloudflare.
3. Cloudflare receives the SYN-ACK packet. To confirm the connection and complete the handshake, the CDN is expected to respond with the packet with the ACK (Acknowledgement) flag.
The ACK flag confirms that the Handshake is a success and that the communication continues.
However, if the origin server does not respond with SYN-ACK in time and the packet fails to reach Cloudflare, the CDN does not send the ACK signal, resulting in an unsuccessful handshake.
Cloudflare returns a 522 error to the user's browser, indicating that the connection has timed out and the server is unable to establish a connection with the website.
What Causes a 522 Error?
The unsuccessful handshake is the root cause of error 522. However, the server's slow response time has various reasons. The most common causes of the 522 error are:
- Slow or unstable internet. Network connectivity issues and latency are caused by incorrect DNS settings, issues with the client's Internet Service Provider (ISP), or a blocked/limited connection by the client's firewall or other security software.
- Server overload. If the server is experiencing high traffic or undergoing maintenance or updates, a timely response to the client's request is unlikely.
- Offline server. The server won't complete the TCP handshake with the client if it's offline or unresponsive due to misconfiguration.
- SSL certificate issues. When an SSL certificate is expired, invalid, or revoked, the browser does not trust it, and as a result, does not establish a secure connection with the server.
- Routing problems. If the traffic is being routed through an unreliable or congested network, the handshake fails.
Note: Learn the 7 ways to reduce server response time.
How to Fix a 522 Error?
The first step to fixing the 522 code is to see if the website is down for everyone and by checking the Cloudflare system status page. However, if the website is working and the problem persists, several effective ways help website owners troubleshoot and fix the issue.
The following sections present common steps to take to resolve the 522 error.
Step 1: Optimize the Origin Server
The origin server, which hosts the website, is crucial in delivering content to visitors. Server overloading leads to slow or unresponsive servers causing the 522 error. Optimize the origin server and increase its capacity to address overloading, by completing this checklist:
- Check the server's CPU and memory usage. Upgrade to a higher capacity server or add more resources to the existing one if the server is overloaded.
- Use software like Apache or NGINX to optimize the server performance and allow it to handle a large number of requests without slowing down.
- Monitor network bandwidth and web traffic to identify potential bottlenecks. Different online tools provide data on website usage, page load times, and other metrics and help pinpoint where traffic is slowing down.
- Review and optimize database queries.
- Reduce the size of website files, images, and scripts.
- Monitor the network connection between the origin server and Cloudflare to ensure that the server is accessible from Cloudflare's network.
- Configure a load balancer correctly to ensure the balancer is able to handle traffic spikes.
Step 2: Check the Firewall Settings
Firewalls sometimes block traffic from Cloudflare, which causes the 522 error. To prevent this, check whether you can reach the website from outside the network. Try accessing the website from a different network or use an online tool to check the accessibility. If the website is restricted, then the firewall is blocking traffic from Cloudflare.
Moreover, make sure any third-party firewall is configured correctly. Whitelisting Cloudflare IPs in the firewall settings prevents your firewall from blocking Cloudflare traffic. Cloudflare provides a list of IP addresses and ranges to add to the firewall's whitelist to allow Cloudflare traffic.
Step 3: Customize DNS/IP Settings
1. Click the DNS tab.
2. Review the Address Record (A Record) to ensure that the IP addresses on both the hosting servers and Cloudflare are the same. Different IP addresses are a possible 522 error cause.
3. If the A records are different, find the A record with the incorrect IP address.
4. Click the pencil icon to edit the record.
5. Enter the correct IP.
6. Click Save.
Step 4: Check for SSL Certificate Issues
A valid and up-to-date SSL certificate is essential to prevent the Cloudflare 522 error. The padlock icon in the browser's address bar provides a quick indication of whether a website uses a valid SSL certificate.
Select the Connection is secure option to confirm that the certificate is valid:
However, the padlock does not offer exhaustive information about the certificate's expiration date or any other issues behind the 522 error. To get more details about the SSL certificate, use an online SSL Checker tool and look for:
- Expired certificates.
- Certificate chain errors with a missing or incorrect intermediate certificate.
- Mismatched certificates that don't match the website domain name or hostname.
Renew the certificate with the certificate authority or install the correct one to fix these issues.
Other issues, such as weak cipher suites or incorrect SSL configuration, require editing the SSL file.
Step 5: Turn on KeepAlive
KeepAlive is a header that maintains a constant connection between a client and a server. Both Cloudflare and the origin web server use KeepAlive.
Cloudflare employs the KeepAlive header to maintain an open HTTP connection between a client and a server for a longer period. This process enhances performance and reduces the number of times the client needs to reestablish a connection.
On the origin server, KeepAlive is enabled by default. However, If the header is disabled, 522 happens due to connection failure.
To fix error 522, adjust the KeepAlive setting in the web server's configuration file, by adding the following:
For example, the Apache configuration file in Ubuntu is located at /etc/apache2/apache2.conf. To turn on KeepAlive, access the terminal and follow these steps:
1. Open the Apache configuration file in Vim or another text editor:
sudo vim /etc/apache2/apache2.conf
2. Search for the
KeepAlive line in the file. If the line is not there, add the following:
4. Restart the Apache service to apply the changes:
sudo service apache2 restart
Step 6: Check the Cloudflare Configuration
Review the Cloudflare configuration to ensure that it is set up correctly and that no issues are causing the 522 error
To accomplish this, check DNS, SSL, and firewall settings. Additionally, verify that the origin server is configured properly and responding to HTTP requests.
Step 7: Enable Cloudflare's Under Attack Mode
If the issues persist even after following the steps above, enable the Cloudflare Under Attack mode. This security feature enhances the protection against DDoS (Distributed Denial of Service) attacks and helps mitigate the 522 error. The Under Attack mode blocks malicious traffic and prevents it from reaching the origin server, which reduces the response time.
While there are several ways to enable Under Attack mode, the easiest one is through the Quick Actions section. After logging into the Cloudflare account, follow these steps:
1. Choose the website for which you want to enable the Under Attack mode.
2. Navigate to the menu at the top of the page.
3. Select the Overview tab.
4. Scroll down to the Quick Actions section.
5. Click the DNS Settings tab.
5. Toggle the I'm Under Attack switch.
Step 8: Contact Cloudflare-Support
Get in touch with Cloudflare Support if all the other options fail. To access the Support options, choose Support from the top menu and click Contact Cloudflare.
Cloudflare offers two ways of support. The Live chat option is limited to Business and Enterprise accounts only. However, Support tickets are available for everyone.
After reading this article you know how to fix the Cloudflare 522 error.