Cloudflare as Reverse-Proxy to our servers

Hi there,
I 'm looking for a way to use Cloudflare as a reverse-proxy, but can’t find how to do this. Or, if this is even possible.

note: for this example lets say domain.com is my domain that I have registered at cloudflare and my WAN IP is 123.123.123.123
What I’am looking for:
https://test.domain.com is routed/proxied to 123.123.123.123:4431 (or wan.domain.com:4431 witch resolves to 123.123.123.123:4431)
https://files.domain.com is routed/proxied to 123.123.123.123:4432
https://www.domain.com is routed/proxied to 123.123.123.123:4433

The user only sees that he goes to https://test.domain.com, or files or www. So he doesn’t ‘see’ he in reality goes to the 123.123.123.123:port part.
Also, he of course, gets a valid SSL certificate

On my side, in the firewall, I can say… if source is cloudflare-IP, and port is 4431, than go to internal server that serves the test stuff, if port is 4432 go to internal server that serves the files stuff and so on.

Is this possible?
If so, how?

When you proxy a site using Cloudflare, it’s just proxying ports 80 and 443. To proxy other ports through Cloudflare’s network, you need Cloudflare Spectrum (https://www.cloudflare.com/products/cloudflare-spectrum/). To my knowledge though, Cloudflare doesn’t redirect these ports to different sub-domains.

The best way to do what you’re trying to do is just to quickly spin up NGINX or Traefik on your IP, and then run your reverse-proxy locally. In my experience, NGINX is really simple to set up, just get the list of domains you need forwarded, and then tell it which port needs to be proxied. Doing it this way also means that you only need to expose port 80 or 443 (use HTTPS where possible), and Cloudflare will handle all your SSL/TLS for you automatically.

1 Like

I already have Traefik installed. But hoped to move the from on-prem to cloud.

Yeah unfortunately, I’m at least unaware of any major service that will do this for you. The easiest setup that I can think of is to use cloudflared ingress rules, but I guess this in a way is still on-premises, apart from spinning up a proper reverse proxy server. Best of luck on that adventure!

In order to change the Origin port, you need to use the PortZilla app, or a Worker (the :search: above will give plenty of examples.)

This implies that there are no certificates on the Origin, which is not a secure setup. You should always have appropriate certificates on your Origin server.

1 Like