I’m new to cloudflare and looking for some help getting setup. I’m not sure what the best tools are to solve this particular problem. Here’s the issue:
I need to route traffic on non-standard ports over cloudflare and have the traffic load balanced between a set of backing servers.
- establish a group of backing servers that can be updated in a single location and will be used for load balancing traffic wherever I specify (e.g. for all A records). NoIP does this very well.
- create custom firewall rules to handle traffic on non-standard ports and route it to a given group. I’d prefer firewall rules as opposed to Spectrum (which I still don’t get) as I should then be able to secure traffic at the DNS layer as well as on each server.
Quick background: I’m running a globally distributed kubernetes cluster that has a backing storage system, allowing nodes in various regions to serve the same static content and enables automatic failover of dynamic content. Thus, the actual IP serving any of my webapps can change at any time but every service is accessible from any of them (assuming they’re online).
An immediate use case I have for the routing I mentioned above is the use of cert-manager performing acme http challenges over port 8089. In this scenario, an ingress route is registered (I use traefik for that) and let’s encrypt contacts the acme challenge pod on 8089, which is new, inbound traffic. Thus, I need a way to allow let’s encrypt to bypass (???) cloudflare and hit my servers on the desired url and port. If I can create a firewall rule, I’d be able to allow such a bypass iff the request matches let’s encrypt (e.g. ips, user agent, etc.).
Another example of where this would be useful is with matrix federation, which runs over port 8448.
The list goes on.
How are people routing and securing traffic over custom ports to groups of load balanced servers today?