DNS will not resolve to IPv4

It will not resolve to the correct IP address whatsoever. I have a ssl cert from letsencrypt and want the traffic to be directed to port 443 since port 80 is blocked by my ISP. My port forwarding rules say to direct traffic from external 443 to internal 80 (my apache server). I tried setting up virtualhost but to no avail. I’ve also used a proxy port (8443) but that still doesnt seem to work. I’m kinda stuck, been at this for hours. Any thoughts?

Why do you map Port 443 extern to Port 80 internally? Are there any special Reason not to just use Port 443 for the Apache as well?

And what do you mean it doesnt resolve to the correct IP Adress?

1 Like

I am afraid you would need to allow port 80 at your end to make a redirection work from HTTP 80 to HTTPS 443.

Kindly, in your case frist I would make sure and check if my origin/host does work and resolve correctly without Cloudflare.

Furthermore, I would go and procceed with the steps to make it work with Cloudflare (adding domain to Cloudflare, etc.).

Moreover, are you using Full SSL at Cloudflare dashboard?

Is Cloudflare allowed to connect to your host/origin?

But have you openned up 8443 at your host/origin? (or just if proxying over it)

Can yout try to open up any compatible HTTP port at your end with Cloudflare one’s as listed below and proxy it to HTTPS port?:

Thats not correct when he uses Cloudflare, Cloudflare can rewrite and redirect all HTTP Request to HTTPs Request at the Edge without needing to contact Port 80 on the Webserver

1 Like

True for Cloudflare end, but maybe the OP wants to redirect HTTP to HTTPS at his end which he obviously cannot configure :confused:

@oneandonlyjason True stated, the Full SSL should connect to OP’s server on Port 443 - if it is allowed to and open at OP’s host/origin.

Moreover, Full isn’t hitting 443 at OP’s server due to possible misconfiguration?

@streifmann Configure your web server to listen on port 443 (for example), make sure it has a valid certificate (as stated Let’s Encrypt), point your domain at Cloudflare to your IP address and make sure your firewall accepts connections from Cloudflare (allow IP addresses) and you should be good to go.

Or, if it all fails, can you try using a service from a hosting provider?

The last case would be to Contact Cloudflare Customer Support. To reach Cloudflare Customer Support, you would need to login to your Cloudflare account and then contact Cloudflare Support.

Hard to say with the information we have.

@streifmann You should not try to redirect the external port 443 to the internal port 80 and use SSL for it. It is possible, but it will probably lead to unexpected problems. It is best to use the default SSL port 443 on your Apache as well and redirect all incoming requests on port 443 to the internal Apache port 443 in your router forwarding settings. Then you can use a standard SSL vhost like the ones you can find on the Internet.

If you are not trying to make the webserver reachable besides Cloudflare (which is not really recommended as you will leak your IP address) it would also be best to use a Cloudflare Origin SSL Certificate as then you don’t have to worry about renewing it.

Then you can change the SSL Settings from Cloudflare to Full (Strict) and enable Always use HTTPs for maximum Security.

This should definitely work correctly this way and make your website accessible to visitors via HTTPs. The only reason why it would not work would be as mentioned by @fritexvz that port 443 is not open in the firewall or Cloudflares IP addresses are blocked.

1 Like

Thank you for the fast responses. I am fairly new to this. I have full on cloudflare and I use a dns-01 certificate so I can bypass the port 80 check for letsencrypt. Is it possible for me to only use port 443 for traffic rather than 80? I also have always HTTPS on. I think cloudflare points to 443, but it always times out.

Port 443 (external) is open and unblocked from my isp. I have no firewall rules blocking cloudflare on my router as well as in my domain registrar. I agree that I probably misconfigured it. Redirect traffic from http to https is my goal but o thought cloudflare would handle this with their traffic interception.

Honestly I don’t know why I mapped it to port 80, just out of convenience. But I also tried starting a php server on 443 internally and that still did not work.

Thats definitly possible if you dont need to rewrite to HTTPS on your Origin which is the case because you use the always HTTPs Setting in Cloudflare.

They are doing this when the Setting is enabled. So the Problem needs to be somewhere else.

Do you mind to share your Domain with us?

The only thing that seems to connect to the server is sending a plain http request to port 443. It makes the connection to the server but is rejected because it is just http and not https. Maybe this is a clue?

I also changed the internal port to 443. It has nothing to do internally because I determined that it works. But cloudflare cannot connect to the site externally.

What are your SSL Settings in Cloudflare under SSL/TLS in your Dashboard? Can you post a Screenshot of them maybe

Your Cloudflare SSL Settings are alright. Cloudflare should not try to connect per HTTP when your Security Setting is Full. On Full Cloudflare only connects per HTTPS.

When you connect directly to your IP with Port 443 its working right?

yes if i do http://ip:443 that is plain of course. And when I do https://ip it shows the ssl error because I dont have a cert directly on the ip address. So it seems to be working.

curl -I trixdev.xyz
HTTP/1.1 301 Moved Permanently
Date: Sat, 06 Mar 2021 18:26:32 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sat, 06 Mar 2021 19:26:32 GMT
Location: https://trixdev.xyz/
cf-request-id: 08aa6399df00004d898820c000000001
Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=JLFlw8x1kIg8hWTHithDLdJ%2BS2kJ4KzE5VwTbR9v1Z9%2F1SsrFOANEB2i2Ysj5zrKB2XZ1MfDfFvJ74lW4s1s77F24i0%2FWaoWuRM%2Bkw%3D%3D"}],"max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
CF-RAY: 62bda2096cbd4d89-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
curl -I https://www.trixdev.xyz
HTTP/2 525
date: Sat, 06 Mar 2021 18:26:48 GMT
content-type: text/html
set-cookie: __cfduid=d10d9d078d6ad69373f5adb0039d997181615055207; expires=Mon, 05-Apr-21 18:26:47 GMT; path=/; domain=.trixdev.xyz; HttpOnly; SameSite=Lax; Secure
cache-control: no-store, no-cache
cf-request-id: 08aa63d59d000016e6c2b83000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=gtsTbvLnSKGIx3hbhBsvXwxUDVSrOy1QEMOEUkGZ5ySXakE0u4RMO4B6DCeKZc1rBhdMeqGate2uoSSes8JlYJWgcERtX%2BNY4HkgjXhNWoE%3D"}],"max_age":604800}
nel: {"max_age":604800,"report_to":"cf-nel"}
server: cloudflare
cf-ray: 62bda268fde416e6-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

Kindly folow the steps as written here:

curl -I https://trixdev.xyz
HTTP/2 522
date: Sat, 06 Mar 2021 18:28:35 GMT
content-type: text/html
set-cookie: __cfduid=d145e9173b3845e1eb2c5866da220c40c1615055284; expires=Mon, 05-Apr-21 18:28:04 GMT; path=/; domain=.trixdev.xyz; HttpOnly; SameSite=Lax; Secure
cache-control: no-store, no-cache
cf-request-id: 08aa65027300004e078608c000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LUVJ%2FpmNjGg4uSEke%2FddNz5YhnqP%2FnHc3P5WliaXwH2wgRPrQNxyGVJeai8SnhyTfsYClMGx1QhM7cz4PeFZtpcWeoZZa6qi5T6C8A%3D%3D"}]}
nel: {"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 62bda44a5e1f4e07-FRA
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400

[email protected]:~ curl -svo /dev/null https://trixdev.xyz --connect-to ::ip 2>&1 | egrep -v "^{.*|^}.*|^* http.*"

  • Connecting to hostname: ip
  • Trying ip:443…
  • TCP_NODELAY set
  • Connected to ip (ip) port 443 (#0)
  • ALPN, offering h2
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  • Closing connection 0

the guide says I should disable tls 1.3 but I just tested all tls versions and all fail with the wrong version number error