Hello, I have HA and Cloudflared installed on that machine. Access via https works perfectly fine. Also local access to SFTP works just fine. But I am clueless how to configure Cloudflared or other point to get access via public network. And yes I know about safety risk.
These are my settings now (slightly masked) which do not work. Get connection timeout.
external_hostname: abc.xyz
additional_hosts:
Welcome to the Cloudflare Community. 
The Cloudflare Proxy only passes HTTP and HTTPS traffic by default. Proxying other protocols requires Cloudflare Spectrum and is not likely to be what you are looking for. The easiest way to allow SFTP access is by creating a new unproxied hostname using A or AAAA records, not a CNAME. You will be presented with a notice that the record exposes your origin IP, but that is the only option besides Spectrum for public SFTP access.
If you don’t need the access to be public, you could use a Zero Trust App to limit access.
Hello, thanks a lot, yes you understand me perfectly well. Spectrum as a paid solution is not an option for me.
I am just trying to understand what IP should I provide here the IP of the Domain name or my local IP/my home public Domain (which is Dynamic), this once again brings confusion to my head. (((
And then which config settings should I use in Cloudflared?
If your are just trying to create public SFTP access without a Cloudflare Tunnel, you want to ensure that you have the requisite port forward in your router and use you dynamic public IP. You can keep that up to date using the Cloudflare API.
For use with a Cloudflare Tunnel, you can follow the guide in my previous reply. The following may also help.
Thank again for your reply and links. I really appreciate it, after careful reading I came to following conclusion.
Correct me if I am wrong. There is no way for simple connection of an Android device to a HomeAssistany SFTP.
Either you have to install and use additional client, which basically makes it VPN like experience or…you have to have a static IP.
I know I am total noob in tunneling, but only thing I need is to get access to that SFTP, with or without tunnel. For now I am just looking for the simplest possible solution (I have own public domain, HA with Cloudflared smoothly running and dynamic IP).
It is so sad that Cloudflare runs so smoothly and easy with https and so hard with any other protocols, so I can not add just additional ports ((
The HTTP protocol contains a “Host:” header to identify the destination of traffic so you can have an unlimited number of websites served by a single IP address.
Other protocols require dedicated IP addresses since there’s not an equivalent “destination” given in the protocol other than the IP address itself. With IPv4, it would not be possible to give every user multiple IP addresses from Cloudflare’s pool. I use Spectrum and each Spectrum application gets its own IP address with all ports available, so I have to pay for an Enterprise plan.
The first part of my previous reply covered using a dynamic IP.
I think I am quite close to find a logical solution but one step is hindering me to be successful.
I create a tunnel using a SSH to my local IP where Cloudlared is running configured to handle it.
Reading Cloudflare documentation it is said that port 8880 is free to use.
But somehow https://sftp.domain.xyz does not resolve to needed for me ssh://192.168.8.149/:8880.
What can the issue or limitation here?
The issue is that you can’t use SSH via Cloudflare without either installing software on the client devices or buying Spectrum.
Cloudflare simply does not accept SSH connections on its HTTP proxy IPs.
Oh…no…so much time spent ((((
But you can see on my screenshot it offers me to USE SSH protocol under the Type section. So misleading then.
Really do not know how to handle it further (((
You can use SSH with the tunnel. You just have to install the tunnel on both the server and the client, and it clearly says so in the manual:
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/#connect-to-ssh-server-with-cloudflared-access
No, this does not work for me. Since I have to install something on the client end. This is not an option - for that I could just install VPN which would be a simpler and more obvious way for me.
Only thing I needed is to have a connection to SFTP or SMB or SSH whatever you say and it seems I can not do it with Cloudflare Without paying a fortune.
This is honestly the best option, and if you wanted to do that with Cloudflare you could hook it up to WARP:
You can always use a dedicated hostname for SSH that is set to 
DNS Only. That was the very first suggestion that I presented in my first reply. It requires no special software on client devices and is unaffected by Cloudflare proxy restrictions since it directs traffic directly to your public IP which you can then forward to the desired internal host.
Thank you for your replies, but they are not complete so I am still searching for steps on how to do that.
It is not clear, which IP should I provide here. From my understanding, it should be the Public IP of my Network and I have to use Port Forwarding as you mentioned I suppose have to add Port :8880 but this is not supported.
There is nowhere information on which IP address should be used here, which on the servers end to configure the tunnel.
You can connect to that port using an origin rule. Note that this is not related to using a tunnel.
If this conversation is still about SSH/SFTP, it can’t be proxied without running WARP or Cloudflared at each end. 
Proxied hostnames only proxy HTTP/S or Cloudflare Tunnels. Anything else would require Spectrum or a DNS-Only hostname.
And Spectrum for SSH is available on all paid plans:
So I am at the very same point as @krepostnoj.
However I decided to give Spectrum a try and I subscribed to the PRO plan that has access to spectrum.
However now I am stuck again: When I try to add an application in Spectrum, I need to provide a subdomain and an IP-Address. The subdomain does not matter (I tried the one that I added in my tunnel to route to my local server, and also a fresh one). However the IP Address is not accepted in any way.
I tried entering my local server address, I tried Cloudflare’s public Anycast IP addresses (as suggested by ChatGPT), however nothing works and I end up with a generic error:
One or more of the origin addresses are invalid. (Code: 11002)
I don’t want to waste money so I really expect this to work somehow. Does someone have a hint?
(And no, I don’t have any kind of public static IP, that’s the whole reason I use cloudflared).
I don’t believe Spectrum and Tunnel can be used in combination. It’s either Spectrum OR Tunnel.
