I would like to route traffic that goes from Cloudflare (on port 443) to my origin server at home on another port (like 35200 or something), but keep the Cloudflare WAF rules as the traffic passes through Cloudflare. I was ecstatic to see that there are origin rules to do just this, but in the sequence of traffic through Cloudflare the WAF is far below origin rules. Thus bypassing all of my WAF rules when the traffic meets my origin server at home. It looks like I may need to use Workers to do this. Is that correct, and if so how? Would it work with TLS traffic to my origin on different ports from the Cloudflare edge to my origin at home? Thanks!
Why do you believe an Origin Rule would bypass your WAF rules?
1 Like
Because the traffic is received by Cloudflare edge on a standard port (i.e. 443), WAF will run on these requests as usual without any adjustments required. Origin Rules phase in this case simply overrides where Cloudflare sends traffic after running it through cache, and thus it shouldn’t interfere with how WAF inspects these requests during WAF phase.
You can find a general overview of how this works at Phases · Cloudflare Ruleset Engine docs.
2 Likes
Thanks for your response. I think I now understand. My line of thinking came about from the diagram to the far right in the WAF rules section shown here in the attached image.
Now I see you used the word, “shouldn’t.” To me this sounds like that may be the operative word. So would there perhaps be any kind of unforeseen issues with redirecting the port to my home server from 443 at the edge to say a port of 35200? Would TLS still stay intact? Reason I ask is because I’ve read TLS encompasses 4 layers of the OSI model.
Because Cloudflare decrypts HTTPS traffic at the edge and then re-encrypts it again before sending it to the origin (if the SSL mode is set to Full or Full Strict), I don’t foresee any issues related to TLS in the setup you’re describing here. 
2 Likes
Okay, thanks!
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.