Cloudflare 521/522/523 errors: fix connection to GARMTECH hosting (origin unreachable)

Cloudflare sits between visitors and your website. When Cloudflare cannot connect to your origin server (your GARMTECH hosting), it shows an error page such as 521, 522 or 523.

This article focuses on the most common causes on GARMTECH hosting and how to fix them.

What the error codes usually mean

• 521 — the origin refuses the connection (origin is down, firewall/security block, wrong IP/port).
• 522 — Cloudflare can reach the network but the origin does not respond in time (timeout, overloaded origin, blocked traffic).
• 523 — Cloudflare cannot reach the origin IP address (wrong DNS record, IP changed, origin is unreachable).

Step 1 — Confirm your DNS points to the correct GARMTECH server

1. Open My.GARMTECH and find the server IP address of your hosting service (or check it in Plesk on the service/domain page).
2. In Cloudflare, go to DNS and check your records:
   • A record for @ (root domain) should point to the correct IPv4 address.
   • CNAME for www should point to @ (recommended) or another correct target.
3. If you do not use IPv6 on your hosting, remove any incorrect AAAA records. A wrong AAAA record is a common reason for intermittent Cloudflare errors.

Tip: If you recently moved the website, make sure Cloudflare does not still point to the old IP.

Step 2 — Test the origin directly (bypass Cloudflare)

To separate a Cloudflare issue from a hosting issue, temporarily bypass the Cloudflare proxy:

1. In Cloudflare DNS, change the record for your domain to DNS only (grey cloud).
2. Wait 1–5 minutes and open your website again.

• If the website also does not open in DNS only mode, the issue is on the hosting side (website/app error, service suspended, disk quota, etc.). Fix the origin first.
• If the website opens in DNS only mode but fails when proxy is enabled, continue with the next steps.

Step 3 — Check Cloudflare SSL/TLS mode and origin certificate

On GARMTECH hosting, the recommended setup is:

• Install an SSL certificate for the domain in Plesk (for example, a free Let’s Encrypt certificate).
• In Cloudflare, set SSL/TLS encryption mode to Full (strict).

Avoid Flexible mode for production websites. It can cause redirect loops and insecure connections because Cloudflare connects to the origin via HTTP.

Step 4 — Make sure origin security is not blocking Cloudflare

Cloudflare proxy traffic comes from Cloudflare IP addresses. If your site has aggressive security settings, the origin can refuse connections (often visible as error 521).

• If you use Imunify360 on hosting, open Plesk → Imunify360 and review blocked IPs / incidents. Remove blocks that affect Cloudflare and avoid “block entire Cloudflare ranges” unless you fully understand the impact.
• If you use a WordPress security plugin (Wordfence, iThemes, etc.), temporarily disable strict rules to confirm it is not blocking Cloudflare requests.
• Do not block ports 80 and 443 to the origin. Cloudflare connects to your website on these ports.

Step 5 — Common Cloudflare configuration traps

• Wrong “www” setup: using www with a wrong target can break only one hostname.
• Proxy enabled for mail/FTP records: do not proxy mail records (MX) or non-HTTP services. Keep them DNS only.
• Mixed HTTP/HTTPS redirects: if you force HTTPS in Plesk and also enable “Always Use HTTPS” in Cloudflare, it usually works, but misconfigured rules can create loops. If you see loops, temporarily disable one layer and test.

What to include if you need further investigation

• The domain name and when the issue started.
• Screenshot of the Cloudflare error page and the error code (521/522/523).
• Whether the site opens when the DNS record is set to DNS only.
• The A/AAAA/CNAME records currently set in Cloudflare (values only, no sensitive data).