My original setup, which I am looking to enhance with cloudflare is following:
We have multiple endpoints for users: mobile webapp, desktop/tablet webapp, api, static-resources server, and so on. Most of the app are tomcat instances. In staging environment all different tomcats are running on one physical server with a netscaler vpx infront, which forwards/balances the traffic between one or more origin tomcats. Example:
www-staging…domain.com -> origin1:8080, origin2:8080
desktop-staging…domain.com -> origin1:8081, origin2:8081
admin-staging…domain.com -> origin1:8085
api-staging…domain.com -> origin1:8086
and so on?
Is it possible to recreate similar structure with cloudflare? Sofar we were only able to create proxies which would require ssl+unique ip as origin which kindof defies the purpose.
I mean I could technically setup an apache with ssl-vhosts and certs on my origin server, but it would be just an additional, second proxy. I would like to avoid that.
Most of these ports won’t work with Cloudflare in the first place and even 8080 won’t work with HTTPS.
Apart from that the usual rule applies, make sure everything works fine on HTTPS before proxying anything and once that all works you can enable the proxy. It is a prerequisite that the site itself works and that’s not Cloudflare related.
thank you for the reply.
Maybe I mis-explained or I’m looking for a different solution as the one cloudflare provides.
In a ‘regular’ hardware loadbalancer I can setup a VIP, say 22.214.171.124 as an external IP which then servers my site via 443 with SSL, and internally gets the content from a set of ip:port pairs (or even single ip:port) when I want to offload ssl to the hardware loadbalancer.
www.my.domain runs on the loadbalancer on 126.96.36.199:443 and the loadbalancer refers to (usually internal) ips like 10.0.0.1:8080, 10.0.0.2:8080, 10.0.0.2:8085.
Obviously with cloudflare the ips have to be public.
In this scenario I get scaleability (1 to many endpoints, reliability (if one origin failes, lb switches to backup), ssl offloading (only lb needs to provide ssl).
So do I understand it correct, that this scenario is not supported by cloudflare at all?
my setup does work without cloudflare via a pair of netscaler vpx virtual loadbalancer appliances. Point is I wasn’t trying to put cloudflare in front of my loadbalancer, but replace it, hence the question.
As for actual domain name, we have multiple, one of the smaller ones is https://www.cherotic.ch/ or https://www.cherotic.at - sorry for the rather explicit content.
In any case, yes your machines will need to be publicly accessible for Cloudflare to reach them, unless you opt for https://www.cloudflare.com/en-gb/products/argo-tunnel/ which will require you to install a daemon on your server which will then establish a connection with Cloudflare. In that case you could keep the addresses private.
All right, your domains are not on Cloudflare yet. You can also contact sales and discuss the best approach for your use-case, as I presume you’ll sign up for a paid plan.
Yes, I understand that. However, we already setup a different site of ours: https://… beloved.app and we found out, that we can’t setup origin server as non-https and on a different port. Thats exactly what I am struggling with.
so for example I have beloved.app as dns-proxy with content 188.8.131.52. But I’d actually rather have it as 184.108.40.206:8080 and another address as 220.127.116.11:8081 being able to run multiple applications on same host.
and we tried loadbalancing for this domain, desktop-cms…beloved.app, the origin is 18.104.22.168 but can it be for example 22.214.171.124:8080 ?
Especially for staging environments we run a whole bunch of services and web servers on the same machine.
(I need to make URLs unreadable, the system won’t let post me otherwise)
Not quite sure what you mean by that. Unless you are on an Enterprise plan and use Spectrum you are tied to the ports Cloudflare offers and their protocols. The only thing you could is use either Portzilla or a customer Worker script which would allow you to a certain extent to adjust ports, but you’ll still have to use SSL. Anything non-SSL won’t fly, unless you disable SSL altogether.
I am afraid I still can’t really follow your examples. But my original statement still applies. If your site is working and you are using standard ports you should not have any issues when moving to Cloudflare. You might have to change your setup to accomodate that if ports, for example, are different.
Cloudflare really doesn’t do anything than just proxy requests.
Ok, first of all thank you for your time!
I will try to make a very simple example.
I want that my site is served under https://www.mydomain.com by cloudflare and that cloudflare proxies those requests to myip:8080 (as http)
Then I want further that https://anotherapp.mydomain.com is also served by cloudflare and that cloudflare proxies those requests to myip:80 (as http)
Same origin IP in both cases, no SSL in both cases on origin.
That won’t work, for starters you can’t break the protocol and would need to proxy onwards HTTPS. That break might work in a local context, but in Cloudflare’s case you’d be exposing all your data on public networks, you’d essentially turn your site into HTTP.
Same issue here, though the hostname part could be achieved with either Workers or hostname overrides in the context of an Enterprise plan.
Again, forget about the security breaking part, only the hostname part might be achievable but not without costs.