You click on a site and get a white page with “Error 522: Connection timed out.” Your origin server is alive, your code hasn’t changed, and nothing in your deploy pipeline looks wrong. Yet Cloudflare insists it can’t reach your box.
Error 522 is an HTTP status code specific to Cloudflare. It fires when Cloudflare’s edge network tries to establish a TCP connection with your origin server and the handshake fails within roughly 15 seconds. The request never makes it past the front door. No data is exchanged, no headers are read, and the visitor sees a generic error page.
The good news: the fix almost always lives on your side of the fence. Cloudflare rarely causes this one. Here’s what to check and how to fix it.
| Error code | 522 |
| Error type | Server error (connection timeout) |
| Error variation | Connection timed out |
| Common causes | Server overload, firewall blocking Cloudflare IPs, incorrect DNS, KeepAlive disabled |
What Causes Cloudflare Error 522
Six things can break that TCP handshake between Cloudflare and your origin server. Most of them are mundane. All of them are fixable.
Server overload. Your box is drowning in requests. CPU pegged, RAM full, no free workers to accept new connections. This is the single most common cause, especially on shared hosting when a traffic spike hits. Cloudflare knocks, nobody answers.
Server offline. The origin server is down. Crashed, rebooting, stuck in maintenance mode. If the machine isn’t listening on port 80 or 443, the connection timeout is inevitable.
Firewall blocking Cloudflare IPs. Your firewall, hosting provider’s network rules, or a security plugin is dropping packets from Cloudflare’s IP ranges. Because Cloudflare acts as a reverse proxy, all inbound traffic comes from their IP addresses, not your visitors’. If those IPs aren’t whitelisted, you’ve locked out every single user.
Incorrect DNS settings. The A record (or AAAA record) in your Cloudflare DNS zone points to the wrong IP. Maybe you migrated servers and forgot to update it. Cloudflare faithfully sends requests to an IP that either doesn’t exist or belongs to someone else.
Network issues. Routing problems between Cloudflare’s edge and your hosting provider’s network. Packet loss, BGP misconfigurations, or an upstream provider having a bad day. You can’t always fix this, but you can confirm it.
KeepAlive disabled. Cloudflare expects persistent TCP connections via HTTP KeepAlive headers. If your server closes the connection after every single request, some of those reconnection attempts will time out. It’s not always the root cause on its own, but it makes every other problem worse.
The pattern is clear: the problem sits on your origin server’s side almost every time. Not Cloudflare, not the visitor’s browser.
How to Fix Error 522 Connection Timed Out
Three areas to check, in order. Start with the most common cause and work down.
Before you touch anything, run a quick sanity check. Hit your site through a tool like Uptrends or check Downdetector to confirm the site is actually down for everyone, not just you. Then verify Cloudflare’s own status page (cloudflarestatus.com) isn’t reporting an incident. If Cloudflare itself is having problems, there’s nothing to fix on your end.
Check If the Web Server Is Working
This is where most error 522 problems live. Your origin server is either offline or so overloaded it can’t accept new connections.
Start with a simple connectivity test. SSH into another machine (or use your local terminal) and ping your server’s IP directly:
ping 203.0.113.50If you get no response, the server is unreachable. Try a traceroute to see where packets are dying:
traceroute 203.0.113.50If the server responds to ping, the next question is whether it’s overloaded. Check your resource usage:
- CPU usage: keep it under 80%. Once you’re above that, request queuing starts and connection timeouts follow.
- RAM usage: if you’re swapping to disk, everything slows to a crawl.
- Running processes: look for runaway scripts, zombie processes, or cron jobs stacking up.
- I/O throughput: disk saturation kills performance just as fast as CPU.
If you’re hitting resource limits, three options:
- Strip out unnecessary plugins, scripts, or cron jobs that are hogging resources.
- Optimize your code. That one unindexed database query running on every page load? Fix it.
- Upgrade your hosting plan. If you’re on shared hosting and you’ve outgrown the box, it’s time for a VPS or dedicated server.
Review Cloudflare DNS Settings
When you onboard a domain to Cloudflare, it imports your DNS records. The A record is the one that matters here: it maps your domain to your server’s IP address. If this record points to the wrong IP, Cloudflare sends every request into a void.
First, find your server’s actual IP address. Your hosting control panel will show it under plan details, server information, or a similar section. Copy it.
Then check it against Cloudflare:
- Log into your Cloudflare dashboard and select the domain.
- Go to DNS > Records.
- Find the A record for your root domain (e.g., example.com).
- Compare the Content/Value field against the IP from your hosting panel.
If they don’t match, click Edit on the A record, paste the correct IP, and save. DNS changes can take up to 24 hours to propagate, though it’s usually much faster. You can also purge Cloudflare’s cache to speed things along.
While you’re in there, confirm your SSL/TLS encryption mode is set to Full (or Full Strict). A mismatch between “Flexible” mode and a server that expects HTTPS causes a different class of problems, but it’s worth checking while you have the dashboard open.
Check Other Web Server Settings
Server is online, DNS is correct, and you’re still getting error 522? Time to dig into the server configuration itself.
Enable KeepAlive
Cloudflare relies on the HTTP KeepAlive header to maintain persistent connections. If your server closes every TCP connection after a single request-response cycle, reconnection overhead stacks up fast. On Apache, add this to your .htaccess file:
<ifModule mod_headers.c> Header set Connection keep-alive </ifModule>On Nginx, make sure keepalive_timeout is set to something reasonable (65 seconds is the default, and it works fine).
Whitelist Cloudflare IP Addresses
If your firewall or a security module is blocking Cloudflare’s IP ranges, every visitor gets a 522. Cloudflare publishes its full IP list at cloudflare.com/ips. You need to whitelist all of them.
How you do it depends on your setup:
- iptables/nftables: add allow rules for each Cloudflare range.
- Server control panel: use the IP manager or firewall section to add them.
- .htaccess: add “allow from” directives for each range.
- Security plugins (WordFence, Sucuri, etc.): check their firewall settings and add Cloudflare’s IPs to the whitelist.
Temporarily Pause Cloudflare
Still stuck? Pause Cloudflare temporarily from the dashboard. This routes traffic directly to your server, bypassing the proxy entirely.
If the site works with Cloudflare paused, the problem is in the connection between Cloudflare and your origin. Re-check your firewall rules and IP whitelist. If the site is still down with Cloudflare paused, the problem is on your server, full stop. Go back to step one and look harder at resource usage and server health.
How to Verify Error 522 Is Fixed
The simplest test: open your site in a browser. If it loads without the “Connection timed out” message, you’re in the clear.
But don’t stop there. Clear your browser cache first, or use an incognito window. Cached DNS or stale content can give you a false positive. Then test from an external tool like Uptrends or GTmetrix to verify the site is accessible from multiple geographic locations, not just from your own network.
If everything loads cleanly, your server isn’t redlining on resources, and Cloudflare’s IPs are whitelisted, the error is resolved. Keep an eye on your monitoring for the next few hours to make sure it doesn’t come back.
Troubleshooting Other Cloudflare Errors
Error 522 isn’t the only Cloudflare 5xx code you’ll run into. Here’s a quick rundown of its close relatives and what makes each one different.
Error 520: Unknown Error
A 520 error is Cloudflare’s catch-all. The connection succeeded, but the server returned an empty or garbled response that Cloudflare couldn’t parse. Common culprits: a crashed web server application, response headers exceeding Cloudflare’s 16 KB per-header limit, or a script that died mid-execution.
To troubleshoot it, check your server error logs first. If those are clean, try disabling .htaccess rules one by one to isolate the problem. Inspect your response headers with curl -I to confirm they’re well-formed and within size limits.
Error 521: Web Server Is Down
This one’s blunt: Cloudflare tried to connect and your server flat-out refused the connection. It’s not a timeout; it’s an active rejection or a dead port.
The most common cause is a web server process (Apache, Nginx, LiteSpeed) that’s stopped or crashed. Second most common: a firewall rule that’s explicitly dropping Cloudflare’s connections. Verify the server is running, then check your Cloudflare IP whitelist.
Error 524: A Timeout Occurred
A 524 looks like a 522, but the mechanics are different. With a 522, the TCP connection never establishes. With a 524, the connection is fine, but the server takes too long to send back an HTTP response. Cloudflare’s default timeout for this is 100 seconds on free and pro plans.
The usual suspect: a long-running process on the server. An unoptimized database query, a heavy report generation script, or an API call to a third-party service that’s hanging. Dig into your server logs, find the slow process, and optimize it. If you can’t make the process faster, consider running it asynchronously and serving a “processing” response to the user instead.
Prevent Server Errors and Stay Online
Fixing error 522 once is straightforward. Keeping it from coming back requires a bit of discipline.
Set up uptime monitoring with a service like UptimeRobot, Pingdom, or even a simple cron job that pings your server every minute. You want to know your site is down before your users do.
Keep your Cloudflare DNS records accurate. Every time you migrate servers, change hosting providers, or even just get a new IP assigned, update your A record immediately. Stale DNS entries are one of those problems that only surface under pressure, which is the worst possible time to debug them.
Review your firewall rules after every hosting change or security update. One overzealous rate-limiting rule or a plugin update that resets your IP whitelist can take the whole site offline.
And check your server resources regularly. Don’t wait for a 522 to tell you that your traffic has outgrown your hosting plan. If CPU usage routinely creeps above 70%, if RAM is consistently tight, it’s time to scale up. Connection timeouts are the symptom, not the disease.
