Question

How to fix error 521 with Cloudflare with a DigitalOcean one-click WordPress VPS?

I have a one-click WordPress droplet with Apache which I’m setting up with Cloudflare, but I’m getting the 521 error after 24 hours of running correctly. In the ufw found these logs:

Oct 9 03:13:11 server kernel: [321863.958922] [UFW BLOCK] IN=eth0 OUT= MAC=aa:55 SRC=103.21.125.80 DST=192.241.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=24217 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
Oct 10 23:04:43 server kernel: [479753.958110] [UFW BLOCK] IN=eth0 OUT= MAC=aa:55 SRC=108.162.221.158 DST=192.241.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=61238 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
Oct 10 23:03:52 server kernel: [479703.575523] [UFW BLOCK] IN=eth0 OUT= MAC=aa:55 SRC=108.162.221.176 DST=192.241.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=52244 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
Oct 10 09:16:25 server kernel: [430057.326473] [UFW BLOCK] IN=eth0 OUT= MAC=aa:55 SRC=162.158.62.132 DST=192.241.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=64694 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
Oct 10 09:20:12 server kernel: [430283.566827] [UFW BLOCK] IN=eth0 OUT= MAC=aa:55 SRC=162.158.62.224 DST=192.241.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=TCP SPT=13066 DPT=443 WINDOW=0 RES=0x00 RST URGP=0
Oct 10 10:11:24 server kernel: [433355.930680] [UFW BLOCK] IN=eth0 OUT= MAC=aa:55 SRC=162.158.62.24 DST=192.241.xxx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=58 ID=53124 DF PROTO=TCP SPT=65446 DPT=8443 WINDOW=64240 RES=0x00 SYN URGP=0

And in the fail2ban plugin found these:

2022-10-10 09:00:36,485 fail2ban.filter [804]: INFO [wordpress-hard] Found 162.158.62.98 - 2022-10-10 09:00:36
2022-10-10 09:01:37,795 fail2ban.filter [804]: INFO [wordpress-hard] Found 162.158.62.6 - 2022-10-10 09:01:37
2022-10-10 09:10:48,327 fail2ban.filter [804]: INFO [wordpress-hard] Found 162.158.62.116 - 2022-10-10 09:10:48
2022-10-11 01:43:59,172 fail2ban.filter [804]: INFO [wordpress-hard] Found 108.162.221.182 - 2022-10-11 01:43:59

2022-10-11 01:36:52,798 fail2ban.filter [804]: INFO [wordpress-hard] Found 162.158.62.214 - 2022-10-11 01:36:52
2022-10-11 01:37:54,128 fail2ban.filter [804]: INFO [wordpress-hard] Found 162.158.62.224 - 2022-10-11 01:37:54

For these reasons, I though the problem was the UFW firewall and the fail2ban plugin, so I whitelisted the Cloudflare IP addresses. However, after I have done this, the next day the same thing happened. The longs for UFW showed IP from the 162.158.x.x getting blocked and the WordPress login got blocked by Jetpack before it said that the 162.158.x.x was doing security violations, which of course, this was not my actual IP address.

It’s not until I disable Cloudflare that I can regain access to the site.

Also, at Cloudflare, the site is configured with the “Full” SSL option. The WordPress site is using HTTPS with a Let’s Encrypt certificate.

  • What am I doing wrong and how do I fix this problem?
  • Why only the 162.158.x.x IP addresses are getting blocked?
  • Does anyone knows or has a step by step tutorial on how to integrate a site with Cloudflare?
  • I’ve been looking online and all the tutorials cover the very basics.

PS: I have already read the Cloudflare recommendations (at https://community.cloudflare.com/t/community-tip-fixing-error-521-web-server-is-down/42461) but the solutions are working for me.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
November 7, 2022

Hello there,

Have you allowed the IPs for port 443 as well? You can use the following command in order to allow it.

  1. iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

You can also check this question that was previously asked in our community

https://www.digitalocean.com/community/questions/how-to-whitelist-cloudflare-ips

Regards

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up