Question

How to fix Cloudflare 522 connection timed out

522 means Cloudflare has a route toward your origin, but the connection or response does not complete fast enough. In practice it is usually one of four things: a dropped TCP handshake, an overloaded origin, a firewall rule that silently drops Cloudflare traffic, or an upstream network path that is unhealthy from the Cloudflare edge.

The fastest way to avoid guessing is to compare three views of the same URL: public Cloudflare URL, direct origin IP, and hostname forced to the origin IP with SNI. Those three checks separate "my app is slow" from "Cloudflare cannot reach the origin cleanly".

Checks in order

  1. Measure public URL latency and status through Cloudflare.
  2. Measure direct origin latency from a network outside your server provider.
  3. Use --resolve to test the same hostname and TLS/SNI against the origin IP.
  4. Check CPU, memory, IO wait, web worker saturation, and database pool exhaustion.
  5. Review firewall, WAF, fail2ban, load balancer, and upstream rate-limit rules.

If you are unsure whether this is timeout or malformed response behavior, start with Cloudflare 520 vs 524 quick split.

What makes 522 different

Do not treat every Cloudflare 5xx as the same incident. A 521 is usually refused connection or a down web server. A 523 points more toward an unreachable origin IP or route. A 524 means the connection was established but the origin took too long to finish the response. A 522 sits earlier in the chain: Cloudflare is timing out while trying to connect to, or wait on, the origin path.

Cloudflare's own 522 documentation describes it as a timeout while contacting the origin web server. That small distinction matters because adding application cache may help an overloaded origin, but it will not fix a network ACL silently dropping Cloudflare IP ranges.

Command block for first response

# Public endpoint latency check
time curl -s -o /dev/null -w '%{http_code}\n' https://yourdomain.com/

# Direct origin checks
time curl -s -o /dev/null -w '%{http_code}\n' http://ORIGIN_IP/
time curl -s -o /dev/null -w '%{http_code}\n' --resolve yourdomain.com:443:ORIGIN_IP https://yourdomain.com/

# Runtime pressure
top -bn1 | head -n 20
vmstat 1 5
iostat -xz 1 3

# Service logs
sudo journalctl -u caddy --since '30 minutes ago' --no-pager | tail -n 120
sudo journalctl -u nginx --since '30 minutes ago' --no-pager | tail -n 120

Evidence to collect before changing settings

Typical 522 patterns

Fix order that reduces blast radius

  1. Stabilize origin health first (CPU/memory/worker pool).
  2. Confirm Cloudflare IP ranges are allowed at the host firewall, provider firewall, and any load balancer.
  3. Move heavy sync tasks to async jobs or queues, especially report generation and remote API calls.
  4. Add caching for high-repeat read endpoints, but only after confirming the origin is reachable.
  5. Increase reverse proxy and upstream worker capacity only when logs show queueing rather than dropped network paths.
  6. Re-test through Cloudflare and compare status/latency over 30-60 minutes.

Small production example

A static marketing page and /robots.txt return 200, but a pricing page returns 522 during crawler bursts. Direct origin curl is fast for /robots.txt and slow for /pricing/. That points away from DNS and toward application work on the pricing route. In that case, fix the route's database/API dependency and add cache. If none of the failing requests appears in origin logs, the better path is firewall and provider network investigation, not app tuning.

After-fix validation

For successful recovery, public pages should return mostly 200/301/304 and no repeated 522 on homepage, sitemap, and high-traffic question pages.

Useful references: Cloudflare 522 support docs and the LLMs File 52x checklist generator.

If requests are refused instead of timing out, continue with Cloudflare 521 web server down.

Generate full 522 checklist