Firewall port rules and load balancing

Hi,

I’m new to cloudflare and looking for some help getting setup. I’m not sure what the best tools are to solve this particular problem. Here’s the issue:
I need to route traffic on non-standard ports over cloudflare and have the traffic load balanced between a set of backing servers.
I’d like:

  1. establish a group of backing servers that can be updated in a single location and will be used for load balancing traffic wherever I specify (e.g. for all A records). NoIP does this very well.
  2. create custom firewall rules to handle traffic on non-standard ports and route it to a given group. I’d prefer firewall rules as opposed to Spectrum (which I still don’t get) as I should then be able to secure traffic at the DNS layer as well as on each server.

Quick background: I’m running a globally distributed kubernetes cluster that has a backing storage system, allowing nodes in various regions to serve the same static content and enables automatic failover of dynamic content. Thus, the actual IP serving any of my webapps can change at any time but every service is accessible from any of them (assuming they’re online).

An immediate use case I have for the routing I mentioned above is the use of cert-manager performing acme http challenges over port 8089. In this scenario, an ingress route is registered (I use traefik for that) and let’s encrypt contacts the acme challenge pod on 8089, which is new, inbound traffic. Thus, I need a way to allow let’s encrypt to bypass (???) cloudflare and hit my servers on the desired url and port. If I can create a firewall rule, I’d be able to allow such a bypass iff the request matches let’s encrypt (e.g. ips, user agent, etc.).

Another example of where this would be useful is with matrix federation, which runs over port 8448.
The list goes on.

How are people routing and securing traffic over custom ports to groups of load balanced servers today?

Thanks!

  • eons

Right off the bat, a :orange: Proxied hostname at Cloudflare doesn’t listen on Port 8089, 8448, or…just about anything non-standard:

Unless you’re on an Enterprise plan configured with Spectrum. It’s a lot of money. Anything less than Enterprise really doesn’t easily handle fancy configurations on anything other than ports 80 and 443.

Hey sdayman,

Thanks for the quick reply!

I’ve read through the page you linked a few times now and I still can’t figure out Spectrum. It looks like the right solution but what if I run ssh on a non-standard port? It doesn’t seem like its configurable and thus doesn’t fit my use cases.
Am I understanding you correctly that if I were an enterprise customer I’d be able to configure my own Spectrum applications? Is there any support for this for business or pro customers?

Given this, it sounds like the only solution is to :grey: proxy my urls with custom ports and … uhh… toggle :grey: to :orange: following the completion of each acme challenge… and each renewal… ugh; or just wildcard cert all the things. I assume the cloudflare api is capable of fulfilling hacks like this. Any recommendations?

p.s. I love the :cloud: flare XD thanks for that!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.