What Is a 522 Connection Timed Out Error?
A 522 Connection Timed Out error is a Cloudflare status code shown when Cloudflare can reach your domain but cannot get a timely response from your origin server. Cloudflare sits in front of your site as a proxy; when it forwards a request and your host does not complete the TCP connection within the time limit, Cloudflare returns 522. It signals the problem is at your server or network, not at Cloudflare. Common causes include an overloaded or crashed server, a firewall blocking Cloudflare's IPs, or wrong DNS records.
- What it is
- A Cloudflare error when the origin server does not answer in time
- Where the fault sits
- The origin host or network, not Cloudflare itself (Cloudflare docs)
- Common trigger
- Server overloaded, crashed, or blocking Cloudflare's IP ranges
- Also caused by
- Wrong origin DNS record, firewall rules, or a down web server process
- Related codes
- 520, 521, 523, 524 all describe origin-connection problems (Cloudflare docs)
What a 522 error actually means #
A 522 Connection Timed Out is one of Cloudflare's own error pages, shown when Cloudflare successfully receives a visitor's request but cannot establish a working connection to your origin server in time. Because Cloudflare acts as a reverse proxy sitting between visitors and your host, every request passes through it first. When it forwards that request to your server and the TCP handshake does not complete within the allowed window, Cloudflare stops waiting and returns 522 instead of a blank page. The key takeaway is that Cloudflare is working; the origin behind it is not responding. That points the investigation squarely at your hosting, network, or firewall rather than at the CDN. For visitors the site simply appears down, so resolving it quickly matters. Persistent 522s usually mean your server is overloaded, misconfigured, or actively blocking Cloudflare, and untangling that is the kind of hosting fault our /services/website-rescue page handles when a business site suddenly stops responding to real traffic.
How Cloudflare's proxy produces the code #
Understanding the request path makes 522 easy to reason about. A visitor asks for your page, Cloudflare answers on your domain's behalf, then opens its own connection to your origin server's IP to fetch the content. That second connection is where 522 lives: if the origin never completes the handshake before Cloudflare's timeout, the code fires. Cloudflare documents a family of 52x errors, and knowing which one you have narrows the cause considerably.
520 -> origin returned an unexpected/empty response
521 -> origin refused the connection (web server down or blocking)
522 -> connection timed out (no reply within the time limit)
523 -> origin is unreachable (bad DNS/routing to the origin)
524 -> connection made but origin took too long to send a responseServer overload as the top cause #
The most frequent reason for a 522 is a server that is simply too busy or has run out of resources to accept new connections in time. When CPU is pinned, memory is exhausted, or the number of concurrent connections hits the host's limit, new requests queue until they time out, and Cloudflare reports 522. Traffic spikes, a runaway process, an inefficient database query, or a plugin stuck in a loop can all push a server over the edge. Shared and oversold hosting reaches this point far sooner than dedicated resources, which is why sudden growth or a viral moment often surfaces the problem for the first time. Checking your server's resource graphs during the outage usually reveals the ceiling being hit. The durable fix is more headroom and better tuning rather than repeated restarts, which is exactly why businesses on struggling shared plans move to stronger infrastructure like our /services/vps-cloud-setup page describes, giving the origin enough capacity to answer Cloudflare before the timeout expires.
Firewall and IP-block causes #
A 522 often appears when your server or a security layer is silently blocking the very IP addresses Cloudflare connects from. If a firewall, security plugin, or a tool like fail2ban decides Cloudflare's ranges look like abuse and drops their packets, the handshake never completes and Cloudflare times out. This is a common trap after enabling a new firewall or after a security plugin auto-bans an IP that happened to be a Cloudflare edge. The fix is to allowlist Cloudflare's published IP ranges at every layer, the server firewall, the hosting control panel, and any application-level security, so their connections are always accepted. Because this sits at the intersection of hosting and protection, it is part of the configuration work covered on our /services/website-security page. When a site was fine and then began throwing 522 right after a security change, an over-eager block is the first thing to check, since the symptom looks identical to an overloaded server but the remedy is completely different.
DNS and origin record problems #
Cloudflare can only reach your origin if it knows the correct address to connect to, so a wrong DNS record is another route to a 522. If the A record for your origin points to an old IP after a server move, or the origin's IP changed without updating Cloudflare, the CDN dials a server that no longer answers and times out. Similarly, if the origin is reachable only through a specific port or hostname that the record does not reflect, connections fail. The fix is to confirm the origin IP in your Cloudflare DNS matches where your site actually lives now, then test that the server responds directly on that address. DNS also underpins mail and other services, so keeping these records accurate matters beyond just the website, which is why record management is a service in its own right on our /services/domains-dns-email page. After correcting a record, allow time for changes to settle and retest, since a recently moved origin is a classic hidden cause of intermittent 522s.
Confirming the outage from outside #
Before deep-diving into server config, confirm the scope of the problem so you fix the right thing. Because 522 is generated by Cloudflare, every visitor routed through it sees the same page, so the outage is usually global rather than local to you. An independent monitor removes doubt: our /tools/website-down-checker reports whether the site responds from outside your own network and connection, distinguishing a true origin outage from a local glitch. It also helps to try connecting directly to your origin IP, bypassing Cloudflare, to see whether the server answers at all; if it does, the problem is between Cloudflare and the origin, such as a firewall block, and if it does not, the server itself is down or overwhelmed. Checking your host's status page and recent maintenance notices rules out a provider-wide incident. Establishing whether the origin is fully down, refusing connections, or just slow points you at overload, a firewall, or DNS respectively, saving time you would otherwise waste changing unrelated settings.
Step-by-step troubleshooting #
Move through the likely causes in order of frequency. First, check your server's resource usage during the outage for pinned CPU, exhausted memory, or a connection ceiling that signals overload. Second, review firewall and security logs for dropped or banned Cloudflare IPs and allowlist Cloudflare's published ranges everywhere. Third, confirm the origin IP in Cloudflare's DNS matches the current server and test the origin directly, bypassing the proxy. Fourth, verify the web server and any application services are actually running, since a crashed process refuses connections. Fifth, look for a specific heavy request, plugin, or query that stalls responses under load. Restart the web server only after you have captured logs, so you do not erase the evidence of what failed. If 522s recur despite these steps, the real issue is usually insufficient capacity, and moving to a managed environment with monitoring and headroom, like our /services/managed-hosting page provides, prevents the origin from timing out under normal traffic in the first place.
When to escalate to your host #
Some 522 errors are beyond what you can fix from your own dashboard and require your hosting provider's help. If your server's resources look healthy, Cloudflare's IPs are allowlisted, and DNS points to the right origin, yet the timeouts persist, the problem may sit deeper in the host's network, a firewall you do not control, or a hardware issue on their side. At that point, gather evidence before opening a ticket: note the exact time the 522s began, whether the origin responds when you connect directly, and any relevant log entries, so support can act quickly instead of asking for basics. A provider that cannot resolve recurring origin timeouts is itself a red flag, since dependable origins are the whole point of paying for hosting. When escalation becomes routine, it usually signals the hosting is underpowered or unstable, and moving to a stronger managed environment like our /services/managed-hosting page removes the class of problem rather than treating each incident as a fresh surprise every time it happens.
Preventing 522 errors long term #
Recurring 522s are a capacity and reliability signal, not bad luck, so the lasting fix is to give your origin enough room and to watch it. Right-size your hosting so peak traffic does not exhaust CPU, memory, or connection limits, and tune slow database queries and heavy plugins that spike load. Maintain a stable allowlist of Cloudflare's IP ranges in every firewall so a future security change cannot accidentally block the proxy. Keep DNS records accurate, especially after any server move, and document your origin IP. Add uptime monitoring that alerts you the moment the origin stops answering, so you learn about problems before customers do. Because these measures span servers, security, and monitoring, they are the backbone of a maintained hosting setup rather than a one-time patch, which is what our /services/care-plans page bundles. If you are unsure where your current setup is fragile, a /free-website-audit will highlight the resource, security, and DNS weak points most likely to produce the next 522.
FAQ
What causes a 522 Connection Timed Out error?
It happens when Cloudflare cannot get a timely response from your origin server. The usual causes are an overloaded or crashed server, a firewall blocking Cloudflare's IP addresses, a wrong origin DNS record after a move, or the web server process being down. The fault lies at your host or network, not at Cloudflare.
Is a 522 error Cloudflare's fault or mine?
It indicates a problem reaching your origin server, so the fault is on your side, not Cloudflare's. Cloudflare received the visitor's request fine but timed out waiting for your server to answer. Focus troubleshooting on server resources, firewall rules that may block Cloudflare, and whether your DNS points to the correct origin IP.
How do I fix a 522 error?
Check server resource usage for overload, allowlist Cloudflare's IP ranges in every firewall, confirm the origin IP in Cloudflare's DNS matches your current server, and verify the web server is running. Test the origin directly, bypassing Cloudflare, to see whether it responds. Capture logs before restarting so you can identify what failed.
What is the difference between a 522 and a 521 error?
A 521 means your origin actively refused the connection, usually because the web server is down or explicitly blocking Cloudflare. A 522 means the connection attempt timed out with no answer at all, typically from overload or a firewall silently dropping packets. Both point to origin problems but call for slightly different checks.
Can too much traffic cause a 522 error?
Yes. A traffic spike can exhaust CPU, memory, or the server's connection limit, so new requests queue until Cloudflare's timeout fires and returns 522. Shared or oversold hosting hits this ceiling early. The fix is more capacity and tuning heavy queries or plugins, not repeated restarts, so the origin can answer within the time limit.
Does a 522 error hurt my SEO?
A brief, rare 522 is unlikely to hurt rankings, but frequent or prolonged ones can. If search crawlers repeatedly hit timeouts, they may crawl less and users bounce, which harms performance signals. Treat recurring 522s as an uptime problem to solve with better hosting capacity and monitoring rather than ignore as occasional noise.
How Local Web Advisor checks this for you
Is your own website getting hosting & domains right?
Our free AI audit scans your site and tells you — in plain English — exactly what to fix for hosting & domains and seven other areas, with the business impact and the fix for each. No login needed to start.
Run my free website audit →Was this helpful?