In Cloudflare I created an A DNS record to point from xxxdomaincom to . Then in the firewall (IPFire) I created e redirection from the firewall IP to a server, which is accessible only from the firewall.
The firewall redirection works fine, i.e. when I call the IP of the firewall I will access the hidden server at a port I defined. So → 10.0.0.7:8890 works fine
However the cloudflare DNS record only works if NOT proxied xxxdomaincom → → 10.0.0.7:8890. If I turn the proxy on, the connection fails with timeout error 552.
Welcome to the Cloudflare Community. 
The Cloudflare proxy only listens on certain ports. 8890 is not one of them.
2 Likes
Thanks. Now I picked up ports, which are supported.
Now my firewall will redirect Firewall:80 → 10.0.0.7:8080.
Inside there are 2 docker containers - a Keycloak server with port redirection 8080:8080 and a database with port redirection 8443:5432. So from outside they listen to ports 8080 and 8443, both supported by Cloudflare.
However the cloudflare proxied connection aaa_domain_com → Firewall → 10.0.0.7:8080 still fails with timeout error!
I forgot to add, that again the unproxied connection is working fine, but not the proxied through Cloudflare. I can’t see the requests in the forewall logs, which makes me think that Cloudflare must be blocking them. In this regard, I didn’t find any place where I can see what requests is Cloudflare blocking. I didn’t find any in the Events, where I only see defended attacks.
Cloudflare only proxies HTTP and HTTPS connections, so the database will not be available with proxy activated.
For Keycloak, I’m not sure. It does seem to be an HTTP service. Can you show the request headers? Port 8080 is HTTP only, so it wouldn’t work if you are using HTTPS to connect from your browser or if the application expects HTTPS.
Generally, instead of adding ports to the URL by hand, you could use a subdomain with an Origin rule to direct traffic to the correct port (only when proxied, obviously). That is much much nicer than adding ports by hand.
1 Like
You forgot to remove your domain from one of the request headers.
In that case, all requests will reach your server via HTTPS on port 443. Is your Keycloak server listening on that port?
This is not compatible with Cloudflare. You can only reach your database in DNS-only mode.
The landing page of Keycloak is HTTP and the admin area is HTTPS.
Here is a request header from the landing page:
GET / HTTP/1.1
Host: keycloak.xxx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
and from the admin area:
GET /realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%2Fkeycloak.xxx.xx%2Fadmin%2Fmaster%2Fconsole%2F&state=49a0ba66-19a4-49bd-9c75-eca86dcac556&response_mode=fragment&response_type=code&scope=openid&nonce=d4dfd1c7-6716-420a-8f05-22747faea555&code_challenge=2iGVzpnajL_lHDXw0Jx2Ggipn94-e1aV578phYdYnKA&code_challenge_method=S256 HTTP/1.1
Host: keycloak.xxx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
I don’t add ports in the URL. I think I already use the same thing as Origin rules, but in the firewall (IPFire), i.e. the external IP is forwarding to a specific port on the internal server like this 123.123.123 → 10.0.0.7:8080. Then, the docker containers on the internal server are listening to ports 8080 and 8443 and map these to 8080 and 5432. The latter is the PostgreSQL database.