Cloudflare as proxy to internet facing sql server

chirag.bhatt · February 9, 2021, 3:26pm

Hello -

I am trying to setup cloudflare as proxy on internet facing sql server.
I have an azure database server and a test database with me which I can access thru SSMS but when I am trying to setup a spectrum as TCP proxy to origin (at DNS name by azure - db server name) over port 1433, it gets failed. Giving me some authentication error.

Authentication mode I am trying in - SQL
Database name is precisely mentioned under SSMS parameters.
Error codes received under SSMS - 10054, 64

I had earlier tried making ftp proxy under cloudflare - spectrum and worked fine. Not sure if Cloudflare allows using spectrum as proxy to public facing sql servers. Spectrum feature is supposedly been allowed on any TCP/UDP applications. So I guess sql server.

Has anyone ever tried setting up the similar and got success ? If yes, any tips you can share please ?

*** NOTE: why am I trying out on azure, because I don`t have right now public facing sql server hosted on premise. So thought azure can be used since spectrum allows defining origin reference as DNS record as well as IP address. Also I whitelisted Cloudflare IPs already under Azure - SQL firewall so that it permits traffic thru cloudflare into azure.

Thanks & Regards,
Chirag

sdayman · February 9, 2021, 3:42pm

I can’t find any references to this use case. The only person I can think of who might know is @cscharff.

chirag.bhatt · February 9, 2021, 7:54pm

What I guess is TLS hand-shake being broken when connecting thru cloudflare…

fritexvz · February 9, 2021, 8:06pm

As I far as I can see, you are mentioning you use an app on a port which is not compatible with Cloudflare?
Can you change the port due to the compatible ones here?:

sdayman · February 9, 2021, 8:21pm

This is through Enterprise with Spectrum, which lets you proxy pretty much anything.

chirag.bhatt · February 9, 2021, 8:52pm

Thanks for reply.
Isn`t that exactly what spectrum is for ? I am trying out within spectrum which should not allow me to port over any non-standard ports if required ?

chirag.bhatt · February 9, 2021, 8:54pm

Thanks @sdayman.
Yes - that`s exactly I am trying to achieve… slightly for non-general purpose.

chirag.bhatt · February 9, 2021, 9:05pm

While in the past, I tried with setting cloudflare as proxy for ftp traffic, and I did it over some non-standard port 3456 on edge and pointing to origin at another non-standard port 6543.

Perhaps answer lies in how sql follows authentication process vs. how ftp does. Not too sure what are best ways for catching up the TLS handshakes errors in details at client end. I don`t see failure logs being dumped in sql logs for failures I am seeing so kind of guessing here that it can be client-side TLS handshake error. I get the same error even when I am passing in the wrong credentials. So that proves something before credentials gets validated is failing.

Will see if I get any luck with tracing that. Will appreciate if anyone is aware of some handy tool for catching TLS handshakes in details on client side.

Thanks.

soldier_21 · April 3, 2021, 2:21pm

I managed to put a PostgreSQL server behind Spectrum

In my case, it works only with Edge TLS Termination off