← Glossary / HTTP 523 Origin Unreachable (Cloudflare)

What is HTTP 523 Origin Unreachable (Cloudflare)?

HTTP 523 Origin Unreachable is a Cloudflare-specific status code indicating that the edge network successfully resolved the target's DNS but could not establish a TCP connection to the origin server. For scraping pipelines, it means the target infrastructure is down or misconfigured, not that your scraper has been blocked. Distinguishing a 523 from an anti-bot intervention is critical to prevent burning proxy bandwidth on a dead host.

CloudflareOrigin ErrorInfrastructureCircuit BreakerTCP Timeout
// 02 — definitions

The target
is down.

Cloudflare is standing at the door, but the origin server isn't answering. Here is why it happens and how your pipeline should react.

Ask a DataFlirt engineer →

TL;DR

An HTTP 523 occurs when Cloudflare cannot route traffic to the origin server due to network routing issues, origin downtime, or the origin firewall blocking Cloudflare's IPs. It is a target-side failure. Scrapers should implement circuit breakers rather than aggressive retries to handle 523s, as rotating proxies will not fix an origin outage.

01Definition & structure
An HTTP 523 is a custom status code generated by Cloudflare. It occurs when a client successfully connects to a Cloudflare edge node, but the edge node cannot route the request to the target's origin server. This usually implies a routing issue, a DNS misconfiguration on the target's end, or the origin server's firewall actively blocking Cloudflare's IP ranges.
02Why it happens
The most common cause is the target server going offline due to a crash or maintenance. Another frequent cause is the target's hosting provider updating their firewall rules and accidentally dropping Cloudflare's IP addresses. Because Cloudflare acts as a reverse proxy, if it cannot reach the origin, it serves the 523 error page to the client.
03Scraper vs Target Error
It is vital to distinguish a 523 from an anti-bot block. A 403 Forbidden or 1020 Access Denied means your scraper was detected and blocked by the edge. A 523 means your proxy, headers, and TLS fingerprint are perfectly fine—the edge accepted your request, but the target itself is broken. Rotating proxies in response to a 523 is a waste of resources.
04How DataFlirt handles it
We use a circuit breaker pattern. If a pipeline detects a spike in 523 errors (typically >5% over a brief window), we immediately pause the extraction workers. We then dispatch a single, low-cost datacenter probe to ping the target every 5 minutes. Once the probe receives a 200 OK, the circuit breaker closes, and the residential proxy workers resume the crawl.
05Did you know?
Sometimes targets intentionally sever the connection between their origin and Cloudflare during massive Layer 7 DDoS attacks to protect their database. During these events, all traffic—legitimate users, scrapers, and attackers—will receive a 523 Origin Unreachable error until the target provisions more capacity or mitigates the attack.
// 03 — retry logic

When to stop
hammering the edge.

Aggressively retrying a 523 error wastes proxy bandwidth and achieves nothing. DataFlirt uses a circuit breaker model to pause extraction jobs when origin failure rates spike.

Error rate threshold = E523 = count(523) / total_requests
If E > 0.05 over a 1-minute window, trip the circuit breaker. DataFlirt pipeline heuristics
Probe backoff delay = Twait = base × 2retry + jitter
Exponential backoff for probing the dead target, capped at 5 minutes. Standard retry architecture
DataFlirt probe cost = Cprobe = $0.00
Clients are never billed for requests that return 500-level origin errors. DataFlirt billing SLA
// 04 — pipeline trace

Hitting a dead
origin server.

A live trace of a scraper hitting a Cloudflare-protected target that has gone offline. Notice how the edge responds immediately, but the origin connection fails.

Cloudflare EdgeTCP TimeoutCircuit Breaker
edge.dataflirt.io — live
CAPTURED
// Request dispatched via residential proxy
GET /api/v1/inventory HTTP/2
Host: target-ecommerce.com

// Cloudflare edge processing
cf.edge.status: connected
cf.origin.resolve: 192.0.2.44
cf.origin.connect: timeout (15000ms)

// Response received
status: HTTP/2 523 Origin Unreachable
cf-ray: 8daaf6152771b0da-BOM

// Pipeline action
pipeline.error_rate: 12%
circuit_breaker: OPEN
action: pause_job, schedule_probe(5m)
// 05 — root causes

Why the origin
dropped off.

HTTP 523 is strictly an infrastructure error. Based on DataFlirt's telemetry across 300+ active pipelines, here is what usually causes a target to throw 523s.

SAMPLE SIZE ·  ·  ·  ·    300+ pipelines
WINDOW ·  ·  ·  ·  ·  ·   30d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Target server crash / OOM

45% of 523s · Origin is completely offline
02

Origin firewall blocking CF

30% of 523s · Target accidentally blocked Cloudflare IPs
03

DNS / Routing misconfig

15% of 523s · BGP route leak or bad DNS record
04

Maintenance window

8% of 523s · Scheduled downtime without a proper 503
05

Physical network partition

2% of 523s · Datacenter connectivity loss
// 06 — DataFlirt architecture

Don't pay for,

target downtime.

When a target goes down and throws 523s, naive scrapers keep retrying, burning expensive residential proxy bandwidth and compute cycles. DataFlirt's orchestration layer detects origin failures within seconds. We trip a circuit breaker, pause the extraction workers, and shift to a low-cost datacenter probe that pings the target every few minutes. Once the origin recovers, the pipeline resumes automatically. You only pay for successful extractions, never for the target's infrastructure failures.

Circuit Breaker State

Live status of an extraction job paused due to origin 523 errors.

target.domain ecom-catalog-in
error.code HTTP 523 (Cloudflare)
breaker.state OPEN
workers.active 0
probe.interval 300s
probe.proxy datacenter_us
billing.status paused

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

Common questions about Cloudflare origin errors, retry strategies, and how to handle target downtime in production pipelines.

Ask us directly →
What is the difference between a 522 and a 523 error? +
A 522 means Cloudflare could not establish a TCP connection to the origin (connection timed out). A 523 means Cloudflare could not reach the origin at all (routing issue, or the origin actively refused the connection). For a scraping pipeline, the practical response is identical: the target is down.
Does a 523 mean my scraper's IP has been blocked? +
No. A 523 is an origin infrastructure failure. If Cloudflare wanted to block your scraper, it would return a 403 Forbidden, a 1020 Access Denied, or serve a Turnstile challenge. Rotating your proxy will not fix a 523.
How long should I wait before retrying a 523? +
Implement exponential backoff. Start with a 30-second delay, double it on each subsequent failure, and cap it at 5 to 10 minutes. Do not retry aggressively — you are just wasting your own resources.
Can a 523 be a stealth ban against my scraper? +
It is extremely rare. While a target could theoretically configure their origin firewall to drop connections specifically routed from Cloudflare containing your specific headers, it's highly impractical. Anti-bot logic is almost always enforced at the edge (returning 403/1020) or at the application layer (returning a fake 200 with poisoned data).
How does DataFlirt handle billing for 523 errors? +
We don't bill for them. DataFlirt's pricing model is based on successful extractions. If a target goes offline and returns 500-level errors, our circuit breakers pause the job, and you incur zero cost for the downtime.
What happens if the target is permanently down? +
If a target returns continuous 523s for 24 hours, DataFlirt's orchestration layer flags the pipeline for manual review and alerts the client. We stop probing to prevent indefinite zombie jobs in the queue.
$ dataflirt scope --new-project --target=http-523-origin-unreachable-(cloudflare) READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Scraping Errors

HTTP 522 Connection Timed Out (Cloudflare)

The sister error to 523, indicating a TCP timeout between Cloudflare and the origin.

Read →
Scraping Errors

HTTP 521 Web Server Down (Cloudflare)

When the origin server refuses the connection from Cloudflare entirely.

Read →
Anti-Scraping

Cloudflare Error 1020 (Access Denied by Firewall Rule)

What an actual Cloudflare block looks like when your scraper trips a WAF rule.

Read →
Scraping Errors

HTTP 502 Bad Gateway

A generic upstream error indicating the proxy or edge received an invalid response.

Read →