A Cloudflare 522 error usually means Cloudflare reached your domain but could not connect to the origin server in time. In xCloud, one common cause is that the server is online and SSH works, but the web ports 80 and 443 are blocked in UFW or another firewall layer.

This guide explains how to troubleshoot Cloudflare 522 ports 80 443 closed issues, confirm the firewall status, allow HTTP and HTTPS traffic, and verify that your site is live again. It is written for symptoms such as Cloudflare 522, origin timeout, connection timed out, server disconnected, HTTPS port closed, HTTP port closed, UFW firewall issue, and xCloud firewall troubleshooting.

When to use this guide #

• Your site shows Error 522 in Cloudflare.
• The xCloud server still appears connected or reachable.
• SSH works, but the website does not load.
• External checks show port 80 or 443 is closed, filtered, or timing out.
• Cloudflare says it cannot connect to the origin server.
• Recent firewall, bot protection, fail2ban, iptables, nftables, or UFW changes were made.

What the Cloudflare 522 error means #

Cloudflare Error 522 means the connection from Cloudflare to the origin server timed out. The server may still be running, but Cloudflare cannot complete a web connection to the origin over HTTP or HTTPS.

For most WordPress and web applications, the required web ports are:

• Port 80 for HTTP traffic
• Port 443 for HTTPS traffic
• Port 22 for SSH access

If only port 22 is allowed, SSH can still work, but visitors and Cloudflare cannot reach the website. This creates a situation where the server may look available from SSH, but the public site remains down.

Before you start #

• Confirm that you have SSH or sudo user access to the server.
• Make sure you understand the impact of firewall changes before running commands.
• If you recently added custom firewall rules, keep a note of what was changed.
• Do not disable the firewall completely unless you know why and have a rollback plan.

You can also review the xCloud server disconnected troubleshooting guide: Troubleshooting Guide: xCloud Server Disconnected.

Step 1: Confirm the site error #

Open the affected domain in your browser and confirm the exact error. If Cloudflare shows Error 522, the issue is usually between Cloudflare and the origin server, not between the visitor and Cloudflare.

(Screenshot: Browser showing a Cloudflare 522 timeout for the affected domain)

Step 2: Check whether SSH still works #

Try to connect to the server with SSH. You can use your normal SSH user, root access if available, or the xCloud sudo user feature.

ssh username@your-server-ip

If SSH connects but the website does not load, the server may be online while the web ports are blocked.

(Screenshot: xCloud server overview showing the server is connected while the public site is not loading)

Step 3: Check the UFW firewall status #

After you connect with SSH, run the following command:

sudo ufw status

If the output only shows SSH rules, the web ports are not allowed. For example:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22                         ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)

This output means SSH is allowed, but HTTP and HTTPS are not allowed through UFW. In this state, Cloudflare can show a 522 error because it cannot reach the origin server on port 80 or 443.

(Screenshot: SSH terminal showing UFW status with only SSH/port 22 allowed)

Step 4: Allow ports 80 and 443 #

Run these commands to allow standard web traffic:

sudo ufw allow 80
sudo ufw allow 443

Port 80 is required for HTTP. Port 443 is required for HTTPS. Even if your site redirects all visitors to HTTPS, port 80 is still commonly needed for redirects, certificate checks, and normal web routing.

Step 5: Confirm the firewall rules were added #

Run the UFW status command again:

sudo ufw status

The output should now include port 80 and port 443 for both IPv4 and IPv6:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22                         ALLOW       Anywhere
443                        ALLOW       Anywhere
80                         ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)

(Screenshot: SSH terminal showing UFW status with ports 22, 80, and 443 allowed)

Step 6: Verify the site loads again #

Open the site in your browser and refresh Cloudflare if needed. You can also test both the HTTP and HTTPS versions:

• http://your-domain.com
• https://your-domain.com

The expected result is that the site loads normally and Cloudflare no longer shows the 522 timeout page.

(Screenshot: Website loading successfully after ports 80 and 443 are allowed)

Step 7: Check xCloud firewall settings #

After fixing the immediate issue through SSH, review the firewall configuration in xCloud.

1. Log in to your xCloud dashboard.
2. Open the affected server.
3. Go to Security → Firewall Management.
4. Confirm that HTTP on port 80 is allowed.
5. Confirm that HTTPS on port 443 is allowed.
6. Review any custom deny rules that may have been added recently.

For more details, see How To Easily Configure Firewall Management With xCloud Hosting.

(Screenshot: xCloud Firewall Management page showing HTTP and HTTPS allowed)

If ports are allowed but the site still shows 522 #

If UFW shows ports 80 and 443 as allowed but the site still does not load, check whether the web server is listening on those ports.

sudo ss -ltnp | grep -E ':80|:443'

You should see a web server process listening on port 80 and/or 443. If nothing is listening, check the web server status. For OpenLiteSpeed, you can use:

sudo systemctl status lsws

If the service is stopped or failed, review the service logs before restarting it. Restarting services on a production server can affect active visitors, so confirm the impact first.

Common causes #

• A custom firewall command removed existing allow rules.
• UFW was enabled without adding HTTP and HTTPS rules.
• An anti-bot or emergency firewall change blocked web traffic.
• A deny rule was added before the allow rules.
• A server cleanup or hardening command modified iptables, nftables, or UFW rules.
• The web server service stopped responding after configuration changes.

Prevention tips #

• Before enabling UFW, allow SSH, HTTP, and HTTPS.
• Keep SSH open so you do not lock yourself out.
• Avoid running copied firewall cleanup commands without reviewing them.
• Document any custom firewall rules added for bot protection.
• After changing firewall rules, test the website from an external network.
• Use xCloud Firewall Management for standard port rules when possible.

Useful commands #

# Check UFW status
sudo ufw status

# Allow HTTP
sudo ufw allow 80

# Allow HTTPS
sudo ufw allow 443

# Check listening web ports
sudo ss -ltnp | grep -E ':80|:443'

# Check OpenLiteSpeed status
sudo systemctl status lsws

For additional UFW reference, see the Ubuntu UFW community documentation.

Expected result #

After ports 80 and 443 are allowed, Cloudflare should be able to connect to the origin server again. The site should load normally over HTTPS, and visitors should no longer see the Cloudflare 522 error.

FAQ #

Why did SSH work when the website was down? #

SSH uses port 22. Your website uses ports 80 and 443. If only port 22 is allowed, you can still connect to the server through SSH while Cloudflare and visitors cannot access the website.

Do I need both port 80 and port 443? #

Yes. Port 443 is required for HTTPS traffic. Port 80 is commonly used for HTTP redirects, certificate validation, and normal web handling. Allow both unless you have a specific advanced firewall design.

Does Cloudflare 522 always mean the server is down? #

No. A 522 can happen when the server is online but Cloudflare cannot connect to the origin web ports. That is why checking SSH, UFW rules, and web server status is important.

Should I disable UFW to fix this? #

No. In most cases, you should keep the firewall active and allow the required ports. Disabling the firewall can expose more services than needed.

Still need help? #

If the site still shows a Cloudflare 522 error after allowing ports 80 and 443, contact xCloud Support with the domain, server name, recent firewall changes, UFW status output, and any web server error shown in the xCloud logs or events.