I have a tld domain name from Namecheap now with Cloudflare free account nameservers and have set up a working website on it, with full SSL from Cloudflare.
(As new user I have removed the dots from the links.)
Yesterday I tried adding a CNAME entry by entering ‘servers’ as sub domain and target as xyz duckdns org (which is working fine as DDNS with my home server access at http:// xyz duckdns org (colon) 8097.)
The CNAME entry shows active, proxied and Auto, as all other entries.
Also checked SSL > Edge Certificates, which shows as active for both *.mydomain.com and for mydomain.com. The SSL> Overview says “Full” as originally setup for the tld domain.
Yesterday I had first tried setting up an A record with xyz (dot) duckdns (dot) org and Cloudflare pulled the correct current public IP. But of course I could not transfer nameservers from the managed duckDNS service, so I did not proceed. Cloudflare does not allow me to delete this entry, so it looks incomplete.
But my subdomain:port servers. mydomain com (colon) 8097 is still not working after a day.
The Cloudflare proxy only listens on these ports (unless using Cloudflare Spectrum)…
You can tell Cloudflare to access your server on port 8097 using origin rules…
…and then you’ll be able to access your server on just servers.example.com without specifying a port.
Always use “Full (strict)” with a valid (in date, non-self signed) SSL certificate like LetsEncrypt on your origin to ensure your connection is secured end-to-end. You can also use a Cloudflare Origin certificate if you only access the server through the proxy.
Btw, I deleted DNS settings one by one for the xyz duckdns subdomain A record as in #2 above, and now the account just says , ‘pending nameservers setup.’
I went through your links, including Origin Rules for Destination, which seems the solution for my non default Cloudflare port issue.
I have gray clouded ( DNS only) the CNAME ‘servers’ to target ’ xyz duckdns’ entry.
But where is the menu for Origin Rules on the free account page ? Or how do I set up Destination rules for my 8097 port with just the CNAME subdomain ?
My target dietpi.com Jellyfin server (port 8097) is internal server behind NAT, and I have not set up any origin SSL cert on it yet.
But will the secure padlock show on my user browser if I keep SSL setting to Full, because Cloudflare should encrypt user -Cloudflare proxy path ?
If you want your site behind Cloudflare, you need the record to be proxied. No Cloudflare protections or features (including origin rules) will work unless proxied as the requests won’t pass through Cloudflare.
Do that first before enabling Cloudflare. Debugging SSL issues behnd the proxy is hard.
Yes, but it won’t secure the Cloudflare-server path so your site traffic is not secured end-to-end.
I’m not sure what you’ve done here. Have you added the duckdns subdomain as a zone in Cloudflare? That’s not needed if you are just CNAMEing to it because it’s just being used for dynamic DNS.
I configured Destination custom expression ‘servers mydimain com’ and applied port 8097.
Now I get SSL handshake failed, after going back to Proxied ( with gray, there was no response): 525.
You, Cloudflare working, servers mydomain failed ’
Id this because the SSL Cloudflare settings is Full ( not Strict) but my internal DietPi server has no SSL?
Do I have to use origin cert on DietPi too?
I originally tried configuring duckDNS subdomain DDNS thinking that I did not need the Cloudflare nameservers switch.
Now is there a way still to configure duckDNS ddns sub domain with Cloudflare ?
That’s because you have no SSL certificate on your origin. As I said, set that up first and use only “Full (strict)”. Full still requires an SSL certificate, but “Full (strict)” should be used to validate that certificate is for your domain, not expired and is trusted so the connection is fully secured.
duckdns.org is in the public suffix list so a subdomain of it can be added to Cloudflare, but according to this (as I’ve never used it myself), there’s no option to delegate the nameservers so records need to be set up within duckdns. Only CNAMEing will therefore work.
Will try SSL on DietPi.
Think I am better off setting up ddclient DDNS on DietPi local server to work with a ‘servers’ subdomain and bypass duckDNS altogether !
That is even more insecure. That will be HTTP only between Cloudflare and your origin, even if the user is using HTTPS to Cloudflare, so traffic is unencrypted and in the clear. You really do need a proper SSL certificate on your origin.
.