Advice Needed for a Cloudflare Proxied DNS

Hi peeps,

Hope you are okay? I have my DNS proxied through Cloudflare (A Record) and wanted to know if the below scenario is possible through a proxied DNS.

I have a Linux Server (Cloud Based) which is connected to my Domain. I have a Java service running on this VPS that listens to client requests on port 8880. I need to setup something like the following but not sure if this is possible through Cloudflare or not:

I need clients connecting to my Domain @ http://example.com:8880 and then this to pass onto my Origin Server which will handle the requests. Is there anything in Cloudflare to achieve this? Do I need to allow Cloudflare IPs and if so, can I do this through UFW? If someone could point me in the right direction and I can then go on and do further reading to look into this TIA

Cloudflare only listens on these ports:

You can leave the clients to connect to http://example.com and tell Cloudflare to connect to your origin on port 8880 using origin rules:

You will need to allow (and only allow if you don’t want people to bypass Cloudflare) Cloudflare IPs:

@sjr Thank you for your quick response, appreciate it. Thing is, this service requires a port in the URL so I cant just use http://example.com. Could I have the URL include one of the allowed Cloudflare ports and set that port as my listening port for the service - so would this not require the Origin Rule setup? Sorry I am new to CF and getting used to it all.

In regards to allowing just CF IP’s would I need to allow Port 80 and 443 as well as the port that I will use for my service for CF ports only.

Yes, you can do that.

Just allow Cloudflare to the ports you use it for. No need to allow 80 and 443 if you won’t be using them for this service.

Thanks again.

I noticed with port 443 and I think 80, that when I append this to the end of my URL, Cloudflare strips it. So I think I will use one of the other HTTPS ports.

I think I will need 443 open because I will be using SSL/TLS eventually. So I get this right would I need to enable 443 on my Firewall and for this port to allow Clouflare IPs only and also just say I use port 8443 for my service I will need to do the same on my Origin.

While you are here, can I still use Cloudflare CERT on my origin even though I don’t have a web server? Thanks again.

Do you mean a certificate on the Cloudflare edge? That will be created automatically, but you won’t be using it as you have an http only origin.

(Don’t use HTTPS to Cloudflare if your origin is only HTTP, it deceives users that their encryption is secure, when it isn’t)

Or do you mean, when you create an SSL website on your origin? The edge certificate will be there, and you can use a Cloudflare origin certificate on your origin server if you want to (or use Letsencyrpt or other SSL certificate if you prefer).

I want to use SSL on my Origin to encrypt traffic from CF to my Origin using a CF Origin Cert. For this my question is, would I need a webserver of some kind or isit possible without one. The reason I am asking is because my Service running on the VPS does not utilise a web server. Clients connect through domain:port where my service on the VPS is listening on that port for requests

By default, Cloudflare only proxies HTTP and HTTPS traffic.

More detail available here:

@sjr I have configured my service to listen on port 8443. I have allowed CF IPs through UFW on Port 8443. I have setup SSL/TLS on my origin and is working fine using Authenticated Origin Pulls with SSL Settings set to Full (strict). When putting in my URL (https://mydomain.com:8443) i takes a while to load and throws a 522 error. I have gone through the troubleshooting on 522 Errors via the CF documentation.

Been going around in circles and I feel like CF won’t work in my particular use case.

If you set the DNS record to “DNS only” (or pause Cloudflare) can you connect?

1 Like

I was facing the same issue.

Hi @rasimorefashions, did you get it sorted in the end?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.