Cloudflare as proxy to internet facing sql server

Hello -

I am trying to setup cloudflare as proxy on internet facing sql server.
I have an azure database server and a test database with me which I can access thru SSMS but when I am trying to setup a spectrum as TCP proxy to origin (at DNS name by azure - db server name) over port 1433, it gets failed. Giving me some authentication error.

Authentication mode I am trying in - SQL
Database name is precisely mentioned under SSMS parameters.
Error codes received under SSMS - 10054, 64

I had earlier tried making ftp proxy under cloudflare - spectrum and worked fine. Not sure if Cloudflare allows using spectrum as proxy to public facing sql servers. Spectrum feature is supposedly been allowed on any TCP/UDP applications. So I guess sql server.

Has anyone ever tried setting up the similar and got success ? If yes, any tips you can share please ?

*** NOTE: why am I trying out on azure, because I don`t have right now public facing sql server hosted on premise. So thought azure can be used since spectrum allows defining origin reference as DNS record as well as IP address. Also I whitelisted Cloudflare IPs already under Azure - SQL firewall so that it permits traffic thru cloudflare into azure.

Thanks & Regards,

1 Like

I can’t find any references to this use case. The only person I can think of who might know is @cscharff.

What I guess is TLS hand-shake being broken when connecting thru cloudflare…

As I far as I can see, you are mentioning you use an app on a port which is not compatible with Cloudflare?
Can you change the port due to the compatible ones here?:

This is through Enterprise with Spectrum, which lets you proxy pretty much anything.

1 Like

Thanks for reply.
Isn`t that exactly what spectrum is for ? I am trying out within spectrum which should not allow me to port over any non-standard ports if required ?

Thanks @sdayman.
Yes - that`s exactly I am trying to achieve… slightly for non-general purpose.

While in the past, I tried with setting cloudflare as proxy for ftp traffic, and I did it over some non-standard port 3456 on edge and pointing to origin at another non-standard port 6543.

Perhaps answer lies in how sql follows authentication process vs. how ftp does. Not too sure what are best ways for catching up the TLS handshakes errors in details at client end. I don`t see failure logs being dumped in sql logs for failures I am seeing so kind of guessing here that it can be client-side TLS handshake error. I get the same error even when I am passing in the wrong credentials. So that proves something before credentials gets validated is failing.

Will see if I get any luck with tracing that. Will appreciate if anyone is aware of some handy tool for catching TLS handshakes in details on client side.


I managed to put a PostgreSQL server behind Spectrum

In my case, it works only with Edge TLS Termination off

1 Like