Web server is down with error code 521

When you're experiencing a "web server is down" error with code 521 from Cloudflare while your EC2 instance is accessible via IP address, this typically indicates a connection issue between Cloudflare and your origin server. Here are several potential solutions to try:

1. Security Group Configuration: Verify that your EC2 instance's security group allows incoming traffic on ports 80 and 443 from Cloudflare's IP ranges, not just from all sources (0.0.0.0/0). Cloudflare uses specific IP ranges to connect to your origin server.

2. Tomcat Configuration: Ensure Tomcat is properly configured to listen on the correct ports (80/443) and is binding to all network interfaces (0.0.0.0), not just localhost (127.0.0.1).

3. Certificate Issues: Since you're using ACM, make sure the certificate is properly installed and configured in Tomcat. The certificate needs to match the domain name Cloudflare is trying to connect to. When using Cloudflare's Full or Full (Strict) SSL mode, your origin server must have a valid SSL certificate.

4. Origin Server Name: Check that the hostname Cloudflare is using to connect to your origin matches the hostname in your SSL certificate. This is especially important in Full (Strict) mode.

5. Firewall Settings: Beyond the EC2 security group, check if there are any other firewall rules (like Network ACLs) that might be blocking Cloudflare's connections.

6. Application Configuration: Your Tomcat application might have hardcoded IP addresses or domain names that need to be updated.

7. Logs Analysis: SSH into your EC2 instance and check Tomcat's logs for any error messages related to incoming connections or SSL handshakes.

8. Temporarily Bypass Cloudflare: As a troubleshooting step, you could temporarily point your domain directly to your EC2 instance by updating your DNS records outside of Cloudflare to see if the issue is specific to the Cloudflare integration.

Since you can access the site via IP address and can SSH into the instance, the core issue is likely related to how Cloudflare is connecting to your origin server rather than the EC2 instance itself being down.
Sources
EC2 Website Connection Timeout | AWS re:Post
Suddenly "This site can’t be reached" | AWS re:Post
Suddenly the domain connection fails. | AWS re:Post

Error 521 means Cloudflare can't establish a connection to your origin server on ports 80 or 443. Since you stopped nginx and Tomcat typically runs on port 8080 (not 80/443), nothing is listening on the ports Cloudflare expects.

The Core Issue:

Tomcat runs on port 8080 by default. When you access the IP directly, you're likely using http://your-ip:8080. Cloudflare tries to connect on ports 80/443 and finds nothing listening.

Solution: Restart nginx as a Reverse Proxy

You need nginx to listen on 80/443 and forward traffic to Tomcat on 8080:

1. Start nginx:

   sudo systemctl start nginx
   sudo systemctl enable nginx
   

2. Configure nginx as reverse proxy. Edit /etc/nginx/sites-available/default (Debian/Ubuntu) or /etc/nginx/conf.d/default.conf (Amazon Linux):

   server {
       listen 80;
       server_name yourdomain.com subdomain.yourdomain.com;
   
       location / {
           proxy_pass http://127.0.0.1:8080;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   }
   

3. Test and reload:

   sudo nginx -t
   sudo systemctl reload nginx
   

4. Verify port 80 is listening:

   sudo ss -tlnp | grep :80
   

About the ACM Certificate:

ACM certificates cannot be installed directly on EC2 instances - they only work with Load Balancers, CloudFront, or API Gateway. For EC2, use a Cloudflare Origin Certificate instead:

1. In Cloudflare Dashboard → SSL/TLS → Origin Server → Create Certificate

2. Download the certificate and private key

3. Save them on your EC2 (e.g., /etc/ssl/cloudflare-cert.pem and /etc/ssl/cloudflare-key.pem)

4. Add HTTPS configuration to nginx:

   server {
       listen 443 ssl;
       server_name yourdomain.com subdomain.yourdomain.com;
   
       ssl_certificate /etc/ssl/cloudflare-cert.pem;
       ssl_certificate_key /etc/ssl/cloudflare-key.pem;
   
       location / {
           proxy_pass http://127.0.0.1:8080;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto https;
       }
   }
   

5. Set Cloudflare SSL mode to Full (Strict)

Verify Security:

Confirm your security group allows inbound traffic on ports 80 and 443 from 0.0.0.0/0 (or specifically from Cloudflare's IP ranges).

Once nginx is running and listening on 80/443, Cloudflare will be able to connect and the 521 error should disappear.

Relevant Documentation:

• Cloudflare Error 521: https://developers.cloudflare.com/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-521-web-server-is-down
• Cloudflare Origin Certificates: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/