Error 522 – 'Con­nec­tion timed out': How to fix the error

Since 2010, the CDN Service Cloud­flare has been helping numerous web projects to improve per­for­mance and security. In contrast to con­ven­tion­al content delivery networks, Cloud­flare functions not only as a simple buffer for static content, but also as a reverse proxy server, which is in constant exchange with the web server. This has the advantage that the cache content is not ex­plic­it­ly de­ter­mined by the website operator – even adapting the source code isn’t necessary since you only have to instruct the DNS servers to use the service.

A well-known error that occurs again and again with the powerful content delivery network is indicated by the message: 'Error 522: Con­nec­tion timed out'. Although this bug is also known as a 'Cloud­flare error', the problem is not really the fault of the web per­for­mance service itself.

Like many other error pages on the world wide web, the 522 message is one of the HTTP status messages: while the preceding '5' indicates a server error, the following '2' indicates that the server error has occurred in con­junc­tion with Cloud­flare. Code 522 stands for 'Con­nec­tion timed out', which occurs whenever the TCP handshake between the web server and Cloud­flare fails. This handshake – which is essential for es­tab­lish­ing a con­nec­tion – becomes necessary whenever the CDN service receives a user request that requires con­sul­ta­tion with the server. Due to the high usage of Cloud­flare, the 522 con­nec­tion timed out error is one of the most common browser error messages.

Contrary to what one would initially suspect, the reason for the 522 error occurring is not due to Cloud­flare mal­func­tion­ing but rather to a server-side problem. However, as with many similar HTTP errors, it is not so easy to name the source of the error directly. There are various scenarios that can cause a timeout when es­tab­lish­ing a TCP con­nec­tion between the CDN service and the contacted web server. The most common reasons for the con­nec­tion timed-out message are the following:

• Web server is offline: the HTTP error 522 is often displayed because the contacted web server is offline. Since the com­mu­ni­ca­tion between the web server and Cloud­flare happens via the internet, an exchange obviously cannot take place.
  
  
• Over­load­ing the original server: Cloud­flare does a lot of work for the original web server running the project. For certain requests from browser users (es­pe­cial­ly dynamic content), the CDN service must nev­er­the­less contact the original server. As with an ordinary server without a CDN, this sometimes results in an overload and a timeout when building TCP, if too many requests are to be processed at the same time.
  
  
• Firewall is blocking the request: if the original server is connected to its own firewall, this can also cause a Cloud­flare error. Of course, the IP addresses of the per­for­mance service should be allowed by this service by default, however, sometimes addresses are ac­ci­den­tal­ly or randomly blocked. As a result, con­nec­tions cannot be es­tab­lished. Incorrect settings may also result in packets being deleted from within the original host network.
  
  
• Incorrect DNS settings: The DNS servers work with the IP address of the original server. Any change to this address must be trans­mit­ted so that the CDN and server can continue to work together. Since many web hosts au­to­mat­i­cal­ly assign new web addresses to the managed websites every so often and do not forward them to Cloud­flare, the DNS setup sometimes uses an incorrect address.
  
  
• Incorrect routing: Cloud­flare must work beyond network bound­aries to ensure that a website’s per­for­mance is properly optimized. IP routing, which regulates the path of the packets sent through the various networks involved, is an el­e­men­tary part of the content delivery process. If there are dis­crep­an­cies between the original server and Cloud­flare, this often results in a con­nec­tion timed out message.
  
  
• Keepalive messages are disabled on the server side: Cloud­flare uses the 'keepalive' header entry to maintain es­tab­lished con­nec­tions over a longer period of time, improving per­for­mance. If the option of the HTTP messages being displayed on the web server is de­ac­ti­vat­ed, the con­nec­tion setup fails, resulting in a 522 error. Since most common web servers allow the keepalive entry by default, this is a rel­a­tive­ly rare cause of error and almost always has something to do with a con­fig­u­ra­tion error on the webmaster’s part.

If you are re­spon­si­ble for a web project that is strug­gling with an error 522 problem, you should start in­ves­ti­gat­ing the cause im­me­di­ate­ly. However, before you check whether one of the causes described in the previous section is the problem, you should first make sure that the original web server is active and accepts HTTP requests. If this is not the case, com­mu­ni­ca­tion between Cloud­flare and the server is logically im­pos­si­ble – even if all settings are correct. If this 'fast' check shows that the CDN service can actually access the server resources as planned, a more detailed analysis is required to find the source of the error.

In the following sections, we have compiled the most promising solutions for fixing the 522 error.

Web server overload is one of the most common causes of error 522. It is im­pos­si­ble to predict the number of visitors at any given time. In­ter­mit­tent load peaks mean that the server can’t keep up with pro­cess­ing HTTP requests – so you should keep an eye on the traffic de­vel­op­ment of your web project using analysis software. Evaluate the data regularly to identify bot­tle­necks and upgrade the hardware setup of the hosting en­vi­ron­ment. Flexible cloud hosting solutions enable you, for example, to scale resources with pinpoint accuracy so that you can react optimally to fluc­tu­a­tions caused by the time of day, day of the week, or season.

In order to find out if Cloud­flare’s IP addresses are blocked by your webserver, you need to check the ap­pro­pri­ate firewall settings and other filtering ap­pli­ca­tions, such as iptables. Internet addresses can also be filtered in the .htaccess file, which is why you should also check them for blocked IPs. A list of the addresses used by the CDN service provider can be found on the official website. If one of these addresses is locked in the named programs (or tools with similar functions), you have to unlock it to fix error 522. Ap­pli­ca­tions often block IPs au­to­mat­i­cal­ly, so you should play it safe and whitelist Cloud­flare addresses.

If your web host relies on a regular change of web server address, it is up to you to forward the changed IPs to Cloud­flare. The providers report these changes only to the own DNS servers by default. If an error 522 occurs, it is worth taking a look at your domain’s IP settings. Log into the ap­pro­pri­ate ad­min­is­tra­tion panel of your web project and note down the current IPv4 and IPv6 addresses of the web server. Then switch to the Cloud­flare con­fig­u­ra­tion menu and select the domain causing the error. Click on the menu item 'DNS' and then enter the recorded web addresses in the cor­re­spond­ing DNS records (Record Type AAAA: IPv6, Record Type A: IPv4).

If the Cloud­flare error is due to incorrect HTTP header settings, it is, in theory, rel­a­tive­ly easy to fix. If 'keepalive' is switched off or too few possible requests are defined, you can correct this in the re­spec­tive con­fig­u­ra­tion file of the web server (e.g. in httpd.conf for Apache servers). However, a pre­req­ui­site is that you have the ap­pro­pri­ate rights, which is often not the case with shared hosting packages. In cases like these, you only have the option of con­tact­ing the provider. If this persists with the setting 'keepalive' for the selected package, you should consider changing the hosting model or provider.

If the 522 error is due to a traffic routing problem, contact Cloud­flare support. Create a ticket de­scrib­ing the problem, spec­i­fy­ing which areas you have already checked for errors. The CDN provider also rec­om­mends using tools such as MTR or tracer­oute to obtain in­for­ma­tion about the current packet switching between your web server and the Cloud­flare IPs. You can attach the results to your ticket (text or image format) to speed up the problem-solving process.

The list of possible causes of error shows that HTTP error 522 is only a server-side problem. So if you just browse through the world wide web and encounter the 522 message when you visit a website, this is not due to a faulty internet con­nec­tion or a faulty plugin. However, this also means that you cannot solve the problem directly. In order to keep frus­tra­tion to a minimum (or prevent it from the start), it’s advisable to wait and visit the website later. Hopefully, the com­mu­ni­ca­tion problem between Cloud­flare and the web server will have been fixed by then and the site will be displayed as normal.

Of course, you can also contact the re­spon­si­ble web master – es­pe­cial­ly if the website doesn’t work after several attempts and still shows the Cloud­flare error. You may receive valuable back­ground in­for­ma­tion or be told when the website can be accessed again. Fur­ther­more, it’s also possible that the provider isn’t aware of the problem so it is def­i­nite­ly worth con­tact­ing them.