When a website displays a 5xx error message, it usually means something went wrong on the server or network path. These errors can arise from issues within the web server (Apache, Nginx, IIS, etc.), or from problems in a proxy or load-balancing system such as AWS Application Load Balancer (ALB), Google Cloud Load Balancer, or Cloudflare. In this guide, we’ll cover 11 common 5xx error messages, explain what causes them - whether in the server, proxy, or connection chain - and how to fix each one to keep your website reliable and SEO-healthy.

Error 500 Internal Server Error

Error 500 generally indicates an issue with your origin web server.  Error establishing database connection is a common HTTP 500 error message generated by your origin web server.

How to fix 500 error

Provide details to your hosting provider to assist troubleshooting the issue. Provide your hosting support with the following information:

1. Your domain name
2. The time and timezone of the 500 error occurrence
3. The output of www.example.com/cdn-cgi/trace from the browser where the 500 error was observed (replace www.example.com with your actual domain and hostname)

Error 502 or 504 From Your Origin Web Server

If the error does not mention “proxy name,” contact your hosting provider for assistance on 502/504 errors from your origin (Most common cause).

How to fix 502 or 504 error

First, Ensure the origin server responds to requests for the hostname and domain within the visitor's URL that generated the 502 or 504 error.

Second, Investigate excessive server loads, crashes, or network failures.

Third, Identify applications or services that timed out or were blocked.

To avoid delays processing your inquiry, provide these required details to your server/proxy support:

1. Time and timezone the issue occurred.
2. URL that resulted in the HTTP 502 or 504 response
3. Output from browsing to /cdn-cgi/trace.

Error 503 Service Temporarily Unavailable

HTTP error 503 occurs when your origin web server is overloaded. There are two possible causes discernible by error message:

1. Error doesn’t contain proxy in the HTML response body
2. Error contains proxy in the HTML response body.

How to fix 503 error

Solution1: Contact your hosting provider to verify if they rate limit requests to your origin web server.

Solution2: A connectivity issue occurred in a proxy data center. Provide proxy support with the following information:

1. Your domain name
2. The time and timezone of the 503 error occurrence
3. The output of www.example.com/cdn-cgi/tracefrom the browser where the 503 error was observed (replace www.example.com with your actual domain and hostname)

Error 520 Web Server Returns an Unknown Error

Error 520 occurs when the origin server returns an empty, unknown, or unexpected response. 520 errors are prevalent with certain PHP applications that crash the origin web server.

How to fix 520 error

A quick workaround while further investigating 520 errors is to temporarily pause any DNS service. Contact your hosting provider or site administrator and request a review of your origin web server error logs for crashes and to check for these common causes:

1. Origin web server application crashes
2. Your origin web server not allowing certain DNS IPs.
3. Headers exceeding 16 KB (sometimes due to too many cookies)
4. An empty response from the origin web server that lacks an HTTP status code or response body
5. Missing response headers or origin web server not returning proper HTTP error responses.

If 520 errors continue after contacting your hosting provider or site administrator, provide the following information to proxy support:

• Full URL(s) of the resource requested when the error occurred
• Output from http://example.com/cdn-cgi/trace
• HAR File (HTTP Archive)

Error 521 Web Server is Down

Error 521 occurs when the origin web server refuses connections. Security solutions at your origin may block legitimate connections from certain IP addresses. The two most common causes of 521 errors are:

• Offlined origin web server application
• Blocked proxy requests

How to fix 521 error

• Ensure your origin web server is responsive
• Review origin web server error logs to identify web server application crashes or outages.
• Confirm IP addresses are not blocked or rate limited by any proxy or DNS service
• If you have your SSL/TLS service, confirm you have installed the right certificate

Error 522 Connection Timed Out

Error 522 occurs when you are connecting to the origin web server, but you do not receive a response within the expected time limit - usually because the server is overloaded, misconfigured, offline, or blocked by a firewall/network issue.

How to fix 522

• Check server availability, ensure the server is online and running and try pinging the address
• Make sure firewalls, routers, or security groups aren’t blocking incoming or outgoing connections on required ports (e.g., 80, 443)
• Check Server Load and Resources, high CPU or memory usage can make the server too slow to respond.
• Inspect DNS Settings, ensure the domain resolves to the correct IP address. You can use dig or nslookup commands to inspect.

Error 523 Origin is Unreachable

Error 523 means the client cannot reach your origin server at all - the connection fails before any response is received. Typically a network path failure. The client can’t even reach your server, so fix the DNS, firewall, or network connection to restore access. This type of errors happen when:

• The server’s IP address is unreachable (down or not routing properly).
• DNS records point to an invalid or private IP.
• A firewall or router is blocking the connection.
• The server is powered off or disconnected from the network.

How to fix 523 error

• Confirm the correct origin IP address is listed for A or AAAA records within your proxy if you are using one

• Verify DNS: Make sure your domain resolves to the correct public IP. Use the command nslookup
• Check Server Status: Ensure the origin server is online and accessible from outside your network. Use the commands ping and traceroute
• Review Firewall/Security Rules: Allow inbound traffic on ports 80 (HTTP) and 443 (HTTPS).
• Confirm Network Configuration: The server should have a public IP and correct gateway settings. Check for routing or NAT issues if using a private network.

Error 524 A Timed Out

Error 524 indicates that a connection to the server was successfully established, but the server took too long to respond, before the default 100 second connection timed out. This can happen because the server has too much work to do - e.g. a large data query, or because the server is struggling for resources and cannot return any data in time.

How to fix 524 error

Here are the options we would suggest to work around this issue:

• Check server performance: Monitor CPU, RAM, and disk I/O for a long-running process
• Adjust timeout settings: Increase limits in your web server.

Error 525 SSL Handshake Failed

Error 525 means the secure connection (HTTPS) couldn’t be established because the SSL/TLS handshake between the client and the server failed - the two sides couldn’t agree on how to encrypt the communication. A 525-type issue happens when:

• The SSL certificate is invalid, expired, or misconfigured.
• The server doesn’t support the TLS version or cipher the client requests.
• There’s a mismatch between HTTP and HTTPS settings (e.g., forced HTTPS but no valid cert).
• Firewall or proxy interrupts the SSL negotiation.

How to fix 525 error

• Check SSL certificate validity: Make sure it’s not expired and matches your domain.
• Confirm correct TLS configuration: Enable modern TLS versions (1.2 or 1.3)
• Ensure the web server is serving HTTPS correctly: In Apache → confirm SSLEngine on and correct SSLCertificateFile paths. In Nginx → confirm listen 443 ssl; and correct certificate files.
• Review proxy or load balancer SSL settings: Make sure SSL termination points and certificates are configured consistently. 

Error 526 Invalid SSL Certificate

Error 526 means the client (or proxy) connected to the server successfully, but the SSL certificate presented by the server is invalid - so the secure HTTPS connection can’t be trusted or completed. A “526-type” situation occurs when:

• The SSL certificate is expired, self-signed, or revoked.
• The certificate’s Common Name (CN) doesn’t match the domain.
• The server isn’t providing the full certificate chain (missing intermediate certs).
• Misconfigured HTTPS/virtual host presents the wrong certificate.

How to fix Error 526

Request your server administrator or hosting provider to review the origin web server’s SSL certificates and verify that:

• Certificate is not expired
• Certificate is not revoked
• Certificate is signed by a Certificate Authority (not self-signed)
• The requested or target domain name and hostname are in the certificate’s Common Name CN or Subject Alternative Name SAN
• Your origin web server accepts SSL connections over port 443

Error 530 Access Denied

Error 530 generally means “Access Denied” or “Unauthorized”, depending on the system - but it’s not a standard HTTP status code defined by the official RFCs. It’s typically platform-specific. Common causes might be:

• Web or Proxy Context: Some CDNs or proxies (like Cloudflare or other intermediaries) use Error 530 to mean: IP address or region is blocked by security/firewall rules, the domain isn’t active or configured properly on the CDN or Authentication failed between the proxy and origin.
• FTP Context: In FTP (File Transfer Protocol), Error 530 means that wrong username or password, the user doesn’t have permission for the requested directory, or the FTP service is misconfigured or disabled.

How to Fix Error 530

• Check your firewall or WAF rules.
• Confirm the domain is active and correctly mapped to your hosting.
• Verify login or authentication details if the request needs credentials.
• Ensure the FTP user has permission for the directory.
• Check FTP server configuration or restart the service.

Final Thoughts

Understanding 5xx error messages is key to maintaining a reliable and high-performing website. Whether the issue originates from your web server (Apache, Nginx, IIS, etc.), a proxy or load balancer such as Cloudflare, AWS ALB, or Google Cloud Load Balancer, or a network timeout between systems, each error carries valuable diagnostic clues. By identifying the root cause and applying the right fix, you can minimize downtime, protect your SEO rankings, and ensure a smooth user experience. Regular monitoring and server-side optimization are your best defenses against future 5xx disruptions.