July 1, 2026

Career Flyes

Fly With Success

Error 523: Causes and Solutions

9 min read

Error 523 is a connectivity error commonly associated with websites using Cloudflare as a reverse proxy, content delivery network, or DNS management layer. It appears when Cloudflare can be reached by the visitor’s browser, but Cloudflare cannot establish a connection to the origin web server where the website is hosted. In simple terms, the website’s protective front layer is online, but the server behind it is unreachable.

TLDR: Error 523 means Cloudflare cannot connect to the origin server. The most common causes include an offline server, incorrect DNS records, firewall blocks, routing issues, or hosting provider problems. The solution usually involves checking the server status, verifying DNS settings, allowing Cloudflare IP addresses, and contacting the hosting provider if the server or network is unavailable.

What Error 523 Means

Error 523: Origin is unreachable indicates that Cloudflare successfully received a request from a visitor but failed to connect to the origin server. This differs from errors where the visitor’s browser cannot reach Cloudflare at all. In this case, Cloudflare is active, but the server that stores the website files, databases, and applications is not responding properly.

For a typical website, the visitor’s browser sends a request to Cloudflare. Cloudflare then contacts the origin server, retrieves the requested content, and delivers it back to the visitor. When Error 523 occurs, that middle step fails. Cloudflare cannot reach the origin server over the expected network route, so the visitor sees an error page instead of the website.

This error can affect any type of website, including blogs, e commerce stores, business websites, web applications, and membership platforms. It is especially disruptive when the affected site depends on real time user activity, sales, or customer support.

Common Causes of Error 523

Although the message may appear simple, Error 523 can have several possible causes. A careful investigation usually begins with the origin server and then moves outward to DNS, firewall, routing, and hosting infrastructure.

1. The Origin Server Is Offline

The most direct cause is that the origin server is down. This may happen because of a server crash, hardware failure, resource exhaustion, scheduled maintenance, or an operating system issue. If the server is not running, Cloudflare has no destination to connect to.

Signs of an offline server may include failed SSH access, an unavailable hosting control panel, database connection errors, or monitoring alerts. In some cases, the website may have exceeded CPU, memory, or bandwidth limits, causing the hosting provider to suspend or throttle the server.

2. Incorrect DNS Records

Cloudflare relies on DNS records to know where the origin server is located. If the A record, AAAA record, or CNAME record points to the wrong IP address or an outdated server, Cloudflare may try to connect to a destination that no longer hosts the website.

This often occurs after a website migration, hosting change, server rebuild, or IP address update. If DNS records are not updated correctly, Cloudflare may continue sending requests to an unreachable or incorrect origin.

3. Firewall Blocking Cloudflare

Many servers use firewalls to block suspicious traffic. However, when firewall rules are overly strict, they may accidentally block Cloudflare’s IP addresses. Since Cloudflare acts as a proxy, the origin server often sees Cloudflare IP ranges rather than the visitor’s direct IP address.

If those Cloudflare IP ranges are blocked, rate limited, or filtered by security software, the connection may fail and trigger Error 523. This can happen through tools such as iptables, firewalld, CSF, fail2ban, web application firewalls, or hosting provider security systems.

4. Network Routing Problems

Sometimes the server is online, and the DNS records are correct, but the network path between Cloudflare and the origin server is broken. This is known as a routing issue. It may involve an internet service provider, data center, upstream carrier, or regional network outage.

Routing problems can be difficult to diagnose because the site may work from one location but fail from another. Cloudflare may be unable to reach the origin server from certain data centers even though other users or monitoring services can reach it.

5. Hosting Provider Issues

The hosting provider may experience outages, network maintenance, IP blocks, or misconfigured infrastructure. Shared hosting users have less control over these problems because the server environment is managed by the provider. Dedicated server and VPS users may have more tools available, but provider level network problems still require support intervention.

When Error 523 affects multiple websites on the same hosting account or server, the cause is often related to the hosting environment rather than a single website configuration.

6. Server Listening on the Wrong Port

Cloudflare expects the origin server to respond on supported HTTP or HTTPS ports. If the web server is not listening on the correct port, or if the port is closed, Cloudflare cannot complete the connection. Common web ports include 80 for HTTP and 443 for HTTPS.

This issue can happen after a server configuration change, web server restart failure, container deployment problem, or reverse proxy misconfiguration. Services such as Apache, Nginx, LiteSpeed, or Node based servers must be active and listening on the correct interface and port.

How to Diagnose Error 523

A structured troubleshooting process helps narrow down the source of the problem. Since Error 523 involves connection failure between Cloudflare and the origin, the investigation should focus on the server’s reachability.

Check Whether the Server Is Online

The site administrator should first confirm that the origin server is running. This may involve logging in through SSH, opening the hosting dashboard, checking server monitoring tools, or contacting the hosting provider. If the server is offline, restarting it may restore service, but the underlying cause should still be reviewed.

  • Check server uptime: Confirm whether the machine is powered on and reachable.
  • Review resource usage: High CPU, memory, disk, or bandwidth usage can cause failures.
  • Inspect service status: Apache, Nginx, PHP, database services, and application processes should be running.
  • Review logs: System and web server logs may reveal crashes, permission errors, or overload events.

Verify DNS Records in Cloudflare

The administrator should compare the IP address listed in Cloudflare DNS with the real public IP address of the origin server. If the website recently moved to another host, the old IP address may still be present. Correcting the DNS records can resolve the error once propagation and cache updates take effect.

Important DNS records include:

  • A record: Points a domain or subdomain to an IPv4 address.
  • AAAA record: Points a domain or subdomain to an IPv6 address.
  • CNAME record: Points one hostname to another hostname.

If an incorrect IPv6 record exists, Cloudflare may attempt to connect through IPv6 even when the server does not properly support it. Removing or correcting the AAAA record can sometimes resolve Error 523.

Test Direct Server Access

Testing the origin server directly can help determine whether the issue is related to Cloudflare or the server itself. This may be done by accessing the server IP address, using command line tools, or temporarily pausing Cloudflare proxying for diagnostic purposes.

If the origin server cannot be reached directly, the issue is likely with the server, firewall, or hosting network. If direct access works but Cloudflare still shows Error 523, firewall rules or Cloudflare specific routing may be involved.

Review Firewall and Security Rules

The server should allow inbound connections from Cloudflare IP ranges. Cloudflare publishes its official IP ranges, and these should be allowlisted in the server firewall, hosting control panel, and any security plugins or web application firewalls.

Security software may incorrectly classify Cloudflare requests as suspicious because many visitors appear to come from Cloudflare addresses. Rate limiting rules can also block Cloudflare when traffic spikes occur. Adjusting these rules can restore connectivity.

Solutions for Error 523

The correct solution depends on the root cause. However, several practical fixes apply to most cases.

1. Restart the Origin Server

If the server is unresponsive, a restart may bring it back online. This can be done through a hosting control panel, cloud provider dashboard, or command line access. After restarting, the administrator should confirm that the web server and database services also started properly.

A restart should not be treated as a permanent fix if the server repeatedly fails. Recurring outages may indicate resource limits, software errors, malware, traffic spikes, or failing hardware.

2. Correct Cloudflare DNS Settings

Incorrect DNS records should be updated to match the hosting provider’s current server IP address. Old records should be removed, especially if they point to retired servers. For sites using multiple subdomains, each relevant record should be checked individually.

After updating DNS records, the administrator may need to clear caches or wait briefly for changes to take effect. Cloudflare DNS changes are often fast, but server side and browser caching can still affect testing.

3. Allowlist Cloudflare IP Addresses

If the firewall is blocking Cloudflare, the official Cloudflare IP ranges should be added to the allowlist. This should be done at every security layer, including:

  • Server operating system firewall
  • Hosting provider firewall
  • Web application firewall
  • Security plugins
  • Load balancer or reverse proxy rules

At the same time, unnecessary blocks, aggressive rate limits, and automated bans affecting Cloudflare should be reviewed. The goal is to allow legitimate Cloudflare traffic while still protecting the origin server.

4. Confirm Web Server Port Availability

The origin server must accept traffic on the ports used by Cloudflare. The administrator should confirm that ports 80 and 443 are open if the site uses standard HTTP and HTTPS traffic. Web server configuration files should also be checked to ensure that the correct domains and virtual hosts are configured.

5. Contact the Hosting Provider

If the server appears unreachable from outside networks, the hosting provider should investigate. The provider can check data center connectivity, upstream routing, account suspension, IP reputation issues, hardware failures, and network level firewall rules.

When contacting support, the administrator should provide the domain name, server IP address, time of the error, Cloudflare error code, and any test results already collected. This helps the support team locate the issue faster.

How to Prevent Error 523

Preventing Error 523 requires reliable infrastructure, accurate configuration, and active monitoring. Website owners should not wait until visitors report downtime before checking server health.

  • Use uptime monitoring: Monitoring tools can alert administrators when the origin server becomes unreachable.
  • Keep DNS records documented: Server IP changes should be tracked during migrations or hosting upgrades.
  • Maintain firewall allowlists: Cloudflare IP ranges should remain allowed after firewall or security updates.
  • Monitor server resources: CPU, memory, disk space, and traffic usage should be reviewed regularly.
  • Plan migrations carefully: DNS, SSL, firewall, and server configurations should be verified before switching hosts.
  • Use a reliable hosting provider: Stable network infrastructure reduces the risk of origin reachability problems.

For high traffic or mission critical websites, redundant infrastructure may be valuable. Load balancing, backup servers, and failover strategies can reduce downtime when one origin server becomes unavailable.

Difference Between Error 523 and Similar Errors

Error 523 is sometimes confused with other Cloudflare errors. Understanding the difference helps administrators avoid unnecessary troubleshooting.

  • Error 522: Cloudflare timed out while trying to connect to the origin server.
  • Error 523: Cloudflare could not reach the origin server at all.
  • Error 524: Cloudflare connected to the origin server, but the server took too long to respond.
  • Error 525: The SSL handshake between Cloudflare and the origin server failed.
  • Error 526: The origin server’s SSL certificate was invalid.

These errors may look similar to visitors, but they point to different technical problems. Error 523 is specifically about origin reachability, so its investigation should focus on server availability, DNS accuracy, network routing, and firewall access.

FAQ

What does Error 523 mean?

Error 523 means Cloudflare is working, but it cannot connect to the origin server hosting the website. The server may be offline, blocked, incorrectly configured, or unreachable due to network issues.

Is Error 523 caused by the visitor’s browser?

No. Error 523 is usually not caused by the visitor’s browser, device, or internet connection. It is generally a server side or network connectivity issue between Cloudflare and the origin server.

How can a site owner fix Error 523 quickly?

The quickest steps are to confirm that the origin server is online, verify that Cloudflare DNS records point to the correct IP address, and ensure that the server firewall allows Cloudflare IP ranges.

Can incorrect DNS cause Error 523?

Yes. If Cloudflare DNS records point to the wrong IP address, Cloudflare may try to reach a server that does not host the website or is no longer active.

Can a firewall cause Error 523?

Yes. If a firewall, security plugin, or hosting level protection blocks Cloudflare IP addresses, Cloudflare may be unable to reach the origin server.

Should the hosting provider be contacted?

The hosting provider should be contacted when the origin server is offline, unreachable, or affected by network routing problems. Provider support can check infrastructure issues that the website administrator cannot access directly.

Is Error 523 permanent?

No. Error 523 is usually temporary and can be fixed once the origin server, DNS records, firewall rules, or network route are corrected.