Web servers issue HTTP status codes to inform the client, such as a web browser, about the outcome of their request. When the server cannot fulfill a valid client request, it returns an HTTP status code in the 5xx range to indicate a server error.
Find out what causes Error 523: Origin is unreachable and how to fix it.
What Is Error Code 523?
The 523: Origin is unreachable error indicates that Cloudflare servers cannot connect and communicate with the host (origin) web server.
Since the origin server hosts the website's data and content, Cloudflare cannot retrieve and serve the cached content to the user; instead, it displays the 523 error.
This failure usually occurs when there is a network connectivity issue, like a server being down, a missing network route, or an incorrect server IP address.
What Causes Error 523: Origin is Unreachable?
The most common causes of the 523: Origin is unreachable error include:
- Incorrect DNS Settings. Cloudflare depends on accurate DNS records to resolve the domain name to the origin server's IP address. If the DNS records in the domain registrar's control panel or Cloudflare's dashboard are incorrect, they can prevent Cloudflare from finding the server and trigger the 523 error.
- DNS Propagation. Website owners who switch hosting providers or transfer their websites to a different server must update their DNS records to match the new server's IP address. DNS changes can take some time to propagate across the global network, and it is not unusual to see Error 523 messages during this transition.
- Origin Server is Unavailable. During downtime, the host server cannot respond to Cloudflare requests, resulting in the 523 error. Server downtime can include a sudden crash, scheduled maintenance, or network connectivity issues.
- Blocked Cloudflare IPs. Connection attempts from Cloudflare may be blocked and cause the 523 error if its IP ranges are not included in the origin server's access control lists (ACLs) or allowed through the server's firewall.
- Firewall Settings. Strict firewall rules may flag and block legitimate requests from Cloudflare and treat such traffic as suspicious activity. As a result, the user is presented with the 523 error message.
- SSL/TLS Certificate. Cloudflare requires a valid SSL/TLS certificate to establish secure connections. If the origin server's certificate is invalid, expired, or self-signed without the proper trust configuration, a 523 error may occur.
How to Fix Error 523?
Error 523 indicates that the Cloudflare CDN cannot reach the origin server. Web administrators should first check the server's status and DNS settings when resolving potential issues.
Below are the most common solutions for addressing the 523 error.
Check Origin Server Status
Most hosting providers have user-friendly dashboards for configuring, managing, and monitoring deployed servers. Log into your hosting provider's control panel to check if the origin server is available and operational:
- Look for status alerts and health check reports that indicate potential issues.
- Confirm that essential services, like Apache or NGINX, and database systems are active.
- Ensure that the server has enough resources to handle incoming traffic. A lack of disk space, RAM, or excessive CPU usage can lead to server downtime.
Contact the web host's support team if the server appears operational with no detectable problems. They can identify network outages or hidden configuration issues that may not be visible from the control panel.
Verify DNS Settings
Incorrect or outdated DNS settings are another common cause of error 523. Log into the web host's control panel and the Cloudflare dashboard and verify that DNS records match:
- Check for typos in the DNS records. A mistake when entering the IP address can lead to a 523 error.
- Ensure that DNS record types like A (for IPv4 addresses) and AAAA (for IPv6 addresses) point to the correct origin server IP in the Cloudflare dashboard. Additionally, verify that CNAME records correctly resolve to their target domain names and that TXT and SRV records are accurately configured.
- If you have recently updated DNS records, use tools like dig or nslookup to query the domain's DNS and confirm it propagates correctly.
- Confirm the domain has not expired and that it is still valid.
- If you use a Dynamic DNS service (DDNS) to manage DNS updates automatically, verify that it accurately adjusts the DNS records to match IP address changes.
Whitelist Cloudflare IPs
Severs may automatically block Cloudflare requests if they originate from IP addresses that are not whitelisted, leading to error 523. To prevent this and ensure Cloudflare's IP addresses are whitelisted on the origin server:
- Check security modules or plugins on the web server, like mod_security for Apache, and confirm they are set to allow traffic from Cloudflare IP addresses.
- Cloudflare may occasionally add new IP ranges. Regularly update IP whitelists to reflect these changes.
- In a distributed network environment, each infrastructure layer, such as a load balancer, application server, or cache server, must be configured to allow requests from Cloudflare IPs.
- Maintain a change management log and keep other network configuration files current. This helps you quickly identify any changes that may restrict Cloudflare's access.
- If you use a Web Application Firewall (WAF), review the logs to see if Cloudflare's IPs are blocked and adjust firewall rules accordingly. Remember to restart the firewall service for the changes to take effect.
Check Firewall Settings
Cloudflare aggregates traffic from multiple users. Overly strict firewall rules can interpret such behavior as malicious and block traffic. To ensure that requests originating from the Cloudflare network and IPs are not blocked:
- Review firewall logs to determine if Cloudflare's IP addresses have been recently blocked or challenged and whether legitimate traffic is being stopped.
- Adjust firewall security rules to ensure Cloudflare proxy traffic is correctly identified and not classified as malicious.
- Ensure that there are no rules that block traffic traffic on ports 80 (HTTP) and 443 (HTTPS).
- Sudden traffic spikes are common for Cloudflare websites as they aggregate traffic across the Cloudflare network. Configure firewall rules to accommodate these traffic increases.
- Ensure that server security software, such as intrusion detection systems, are set to treat Cloudflare's IP addresses as trusted sources to avoid false alarms and access issues.
- Modify geo-IP blocking rules to ensure they do not block countries where Cloudflare has data centers. Cloudflare's reverse proxy traffic will appear to come from these locations.
Review SSL/TSL Certificates
If Cloudflare is configured to use secure connections, the SSL/TLS certificates on the origin server must be valid. Cloudflare may reject connections if the certificate is expired or incorrectly configured, which could potentially cause a 523 error.
To avoid this type of error:
- Ensure that the SSL/TLS certificate installed on the origin server has not expired. Use SSL checker tools to monitor SSL/TLS certificate status and set up alerts for its renewal.
- Set up SSL/TLS certificates on Content Delivery Networks (CDN) or load balancers used in conjunction with Cloudflare.
- Cloudflare must be specifically configured to accept self-signed certificates.
- Confirm that the domain name on the SSL/TLS certificate corresponds to the domain being accessed.
Cloudflare CDN Issues
In most cases, the 523 error occurs because the origin server is unavailable or the DNS settings are incorrect. However, even though it is reliable, the Cloudflare network can also encounter connectivity issues.
In such instances, the website owner should contact Cloudflare support for assistance. When reporting a 523 error, note and provide the Cloudflare Ray ID from the error page.
The Ray ID expedites the investigation and helps Cloudflare support staff pinpoint the cause of the connection failure.
This article showed what causes error 523: Origin is unreachable and how to fix the underlying issues.