HTTP and SSH Proxying on the same DNS record

I’m setting up a gitea server and want to serve http and ssh via the same hostname and have both be publicly accessible. I know I can do this by just a plain DNS record, but I’d like to proxy at least the http through cloudflare, but I cannot figure out how to do this.

Things I’ve tried:

Just setting up a proxied DNS record. This proxied the http traffic beautifully, but the ssh traffic just times out. Based on the docs, this is expected, the docs recommend Spectrum.

Spectrum. SSH proxying is possible via Spectrum, but it required me to delete my A record. The new record only works with ssh, http traffic just errors out. I cannot add another A record once the Spectrum record is in place.

Cloudflare Tunnel Public Hostname via Zero Trust. This will work for http, but ssh requires either the browser or WARP client, which does not work in a public access use case like mine. I can’t create both Spectrum and Cloudflare tunnel records at the same time.

Please advise. Thanks.

Is there any reason why you cannot create a subdomain for the SSH access? Like ssh.example.com? That way you could use different solutions for HTTP and SSH.

I suspect that the reason is that since it’s a Gitea instance they would like to use the same hostname for git actions regardless of whether HTTPS or SSH is chosen as the transport mechanism.

It does appear that the SSH_DOMAIN configuration variable in Gitea can set this to another domain, though.

SSH_DOMAIN: %(DOMAIN)s: Domain name of this server, used for displayed clone URL.

Yes, the https and ssh domains can be configured separately, but it is much more user friendly for them to be the same.

In my particular case, we are making changes to the hosting of an existing gitea instance which has had both at the same domain for many years, so we would like to continue that.