You Just Deployed Your Site and Now It’s Blocked by Cloudflare
You’ve spent hours, maybe days, building your website. The design is perfect, the code is clean, and you’re ready to launch. You point your domain to your new hosting, hit refresh, and instead of your beautiful homepage, you’re greeted by a Cloudflare error page. A message about “Access Denied,” “1020 Error,” or a security check that never completes.
Your heart sinks. Visitors can’t get through. Your business is effectively offline before it even starts. This scenario is frustratingly common, whether you’re a seasoned developer or someone setting up their first online store. Cloudflare sits between your visitors and your server, and when something goes wrong in that handshake, everything stops.
This guide is your practical toolkit for diagnosing and resolving the most common Cloudflare errors. We’ll move past generic advice and into the specific settings, logs, and commands you need to get your site back online.
Understanding What Cloudflare Actually Does
Before you can fix it, you need to know what you’re fixing. Cloudflare is not a hosting provider. It’s a reverse proxy and content delivery network (CDN). When you use Cloudflare, your domain’s nameservers point to Cloudflare. Visitors request your site from Cloudflare’s global network, which then forwards that request to your origin server (your actual web host like DigitalOcean, AWS, or GoDaddy).
This setup provides huge benefits: faster loading times, DDoS protection, and a Web Application Firewall (WAF). But it also adds a layer of complexity. An error usually means the connection between Cloudflare and your origin server is broken, or a security rule is being triggered incorrectly.
The Most Common Cloudflare Error Codes and What They Mean
Cloudflare uses specific error codes. Identifying yours is the first step.
Cloudflare Error 520: Web Server Returns an Unknown Error. This is a catch-all. Cloudflare connected to your origin server, but the server sent back an empty, invalid, or unexpected response.
Cloudflare Error 521: Web Server Is Down. Cloudflare successfully reached your origin server, but the server refused the connection. This usually means your web service (like Apache or Nginx) is not running.
Cloudflare Error 522: Connection Timed Out. Cloudflare could not establish a TCP connection to your origin server within 90 seconds. Your server might be offline, or a firewall is blocking Cloudflare’s IP addresses.
Cloudflare Error 523: Origin Is Unreachable. Cloudflare cannot find a route to your origin server. This often indicates a DNS issue at your origin’s host or a network problem.
Cloudflare Error 524: A Timeout Occurred. A connection was established, but your origin server took more than 100 seconds to respond fully. This points to a slow or overloaded application.
Cloudflare Error 525: SSL Handshake Failed. The SSL/TLS connection between Cloudflare and your origin server failed. This is common when your origin server’s SSL certificate is invalid, expired, or misconfigured.
Cloudflare Error 1020: Access Denied. The request was blocked by a Cloudflare WAF rule or a custom firewall rule you set up. It’s a security block.
Step-by-Step Diagnostic Checklist
Don’t start changing random settings. Follow this logical flow to isolate the problem.
First, Bypass Cloudflare Completely
You need to answer one critical question: Is the problem with Cloudflare, or with your origin server itself? To find out, temporarily bypass Cloudflare’s proxy.
Log into your Cloudflare dashboard. Go to the DNS settings for your domain. Find the DNS record for your website (usually an A record for “@” or a CNAME for “www”). You will see a cloud icon to the right of the record. If the cloud is orange, traffic is proxied through Cloudflare. Click it to turn it gray. This switches the record to “DNS only,” meaning visitors will connect directly to your origin server IP.
Wait a few minutes for DNS to propagate, then visit your site. If your site loads correctly now, the issue is with Cloudflare’s configuration. If your site still fails to load or shows a different error, the problem lies with your origin server or hosting provider. Focus your efforts there first.
Check Your Origin Server’s Health
If bypassing Cloudflare didn’t help, your server is the culprit. Use these commands via SSH or ask your host to check.
Verify your web server is running: systemctl status nginx or systemctl status apache2.
Check for disk space: df -h. A full disk can crash services.
Review error logs: tail -f /var/log/nginx/error.log or /var/log/apache2/error.log. Look for recent critical errors.
Ensure the server is listening on the correct port: netstat -tulpn | grep :80 and netstat -tulpn | grep :443.
Test local connectivity: curl -I http://localhost. If this fails, the issue is internal to the server.
Verify Your DNS Configuration
Incorrect DNS is a prime suspect for errors 523 and 522. In your Cloudflare DNS panel, ensure your A or CNAME record points to the correct IP address or hostname provided by your hosting company. It must be the actual server IP, not a load balancer or another CDN’s address unless specifically configured for it.
Also, check your origin server’s firewall. Cloudflare publishes its IP ranges. You must allow traffic from these IPs to your origin server’s HTTP (port 80) and HTTPS (port 443) ports. Blocking these will cause connection timeouts. You can find the current list in the Cloudflare dashboard under “Allow Cloudflare IP addresses.”
Fixing Specific Cloudflare Errors
Resolving SSL/TLS Errors (525, 526)
Error 525 means Cloudflare cannot establish a secure connection to your origin. Go to the SSL/TLS tab in your Cloudflare dashboard. Under “Origin Server,” ensure you have a valid SSL certificate installed on your origin server itself.
The simplest method is to use Cloudflare’s “Full” or “Full (strict)” SSL mode. In “Full” mode, Cloudflare uses HTTPS to connect to your origin, but it does not validate your origin’s certificate. This can work even with a self-signed certificate. “Full (strict)” requires a valid, publicly-trusted certificate on your origin.
If you’re using “Full (strict),” your origin certificate must be valid and not expired. You can install a free certificate from Let’s Encrypt on your origin server. Also, ensure your origin server is configured to use the correct certificate and that the server name (SNI) matches your domain.
Stopping False Positives from the WAF (Error 1020)
If visitors are seeing a 1020 “Access Denied” page, the Cloudflare Web Application Firewall has blocked their request. This could be due to a managed rule or a custom rule you created.
First, go to the Security > WAF > Tools page in your dashboard. Look for “Recent Activity.” This log will show you the specific rule ID that triggered the block (e.g., Managed Ruleset 100000).
If the block is a false positive (for example, blocking a legitimate form submission or API call), you can create a WAF Exception. Go to Security > WAF > Exceptions. Create a new exception with a rule like “When incoming requests match… URI Path contains ‘/wp-json/’… Then… Skip” the specific managed ruleset that is causing the problem. Be as specific as possible to avoid creating a security hole.
Addressing Timeout Errors (522, 524)
Timeout errors mean your origin server is too slow to respond. For Error 522, increase the “Origin Connection Timeout” in the Speed > Optimization > Content Optimization page. You can raise it from the default 90 seconds up to 300 seconds, but this is a band-aid. The real fix is to improve your server’s performance or uptime.
For Error 524, which happens after a connection is made, the issue is with your application code taking too long. Enable “Origin Keep-Alive” in the same settings to reuse connections. More importantly, you need to optimize your database queries, increase PHP execution time (for WordPress), or add more server resources. Check your application’s logs for slow processes.
Advanced Troubleshooting and Caching Issues
Sometimes your site works, but shows outdated content because Cloudflare is serving a cached version of an error page. This is a common headache after fixing an origin server issue.
You must purge Cloudflare’s cache. Go to Caching > Configuration > Purge Cache. You can “Purge Everything” to clear all cached files. For a more targeted approach, use “Custom Purge” to specify the URLs that have changed.
Also, review your Page Rules. A misconfigured Page Rule can cause unexpected caching, redirects, or security settings for specific parts of your site. Check the Rules > Page Rules section to see if any active rules might be interfering.
When to Use Development Mode
While making frequent changes to your site, turn on “Development Mode” in the Caching tab. This bypasses Cloudflare’s cache for three hours, ensuring you always see the latest version from your origin. Remember to turn it off afterward, or your site will lose the performance benefits of caching.
Preventative Measures and Best Practices
Fixing an error is good, but preventing the next one is better. Adopt these practices.
Always keep a valid SSL certificate on your origin server, even if using “Full” mode. Use a service to auto-renew it.
Monitor your origin server’s resource usage (CPU, memory, disk). Set up alerts for high usage.
Use Cloudflare’s Health Checks. In Traffic > Load Balancing, you can create a monitor that pings your origin server and provides a status. This gives you early warning of downtime.
Be cautious with custom Firewall Rules. Test them in “Log” mode first to see what they would block before switching to “Block.”
Keep a documented rollback plan. Know how to quickly gray-cloud your DNS record to bypass Cloudflare if a major issue arises during an update.
Your Site Is Back Online – What’s Next?
Once you’ve resolved the immediate error, take a moment to document what happened and the steps you took to fix it. This log will be invaluable if the issue recurs. Consider whether the fix was temporary (like increasing a timeout) or permanent (like fixing a firewall rule). For temporary fixes, schedule time to address the root cause, such as optimizing slow code or upgrading server hardware.
Cloudflare is a powerful tool that makes your site faster and more secure. Like any powerful tool, it requires understanding. By methodically working through connectivity, SSL, security, and caching, you can move from seeing Cloudflare as a source of errors to leveraging it as a reliable foundation for your online presence. The next time an error appears, you’ll know exactly where to look.
