Non supported ports in proxy mode

Hi all,

I cannot seem to find solid information on this so thought to post in the community.

I have a site which is currently in DNS mode. I am using business plan. I would like to know what happens to traffic to this domain when in proxy mode, where the port is not on the list of supported proxy ports.

Specifically, say I enable proxy mode on - any traffic 8080/443 will be proxied over Cloudflare and will be checked/protected using the WAF/Bot Management and other tools. But, what happens to other ports?

Say I have a need for UDP 2598 to
Will this traffic hit Cloudflare and be dropped as it is not on the list of supported proxy ports? Or, will the traffic be routed outside of proxy mode like it does in DNS only mode? Or, will it do something else? Will the non standard ports tcp/udp still route to the destination, just not over Cloudflare, whilst the standard/supported ports like 443/8080 will go over the proxy and be checked?
So, what happens to other ports on the above link in proxy mode?

I am not using Spectrum as the ports I would need are only available in enterprise, and enterprise needs lots of other subscriptions to things I do not want or need.

Thank you

Precisely. Any connections to non-supported ports will be rejected. Only exception is Spectrum where you can, depending on your plan level, configure additional services, but only with Enterprise you’ll be able to configure arbitrary ports.

In your case you might want to configure additional non-proxied records and use them for any services not supported by your plan.

I hoped that would not be the case. Do you know if there is any way to get to enterprise but only subscribe to spectrum? I do not need the other features of enterprise.

Once you are on Enterprise you can negotiate most features, but Enterprise itself will set you back by a nice amount every month.

Is UDP 443 going to work in proxy mode? Or tcp only?

On a regular plan? UDP 443 should work as that is where HTTP 3 is running, but that will still be TCP to the origin.

What I can see in Wireshark from my source to the server is:

Protocol: DTLSv1.0
Destination port 443
Type: UDP

If I enable proxy mode, will that fail?

I am using business $200 pcm plan

The proxies should accept a connection to UDP 443 but they won’t connect to your server via UDP. Cloudflare still uses mostly HTTP 1 for that.

In this case, should I expect this would not work without spectrum?

I suspect your question is “can I run my application on a supported port and have Cloudflare act in a NAT only mode”. The answer is no. Cloudflare will terminate the requests using the standard proxy ports, and any protocol other than HTTP/HTTPS will not work.

You need to use a separate hostname for the non-HTTP protocols.

With Spectrum it should work as Cloudflare won’t proxy in that case but tunnel. But again, that requires an Enterprise plan.

If you are after HTTP 3 on UDP 443, then yes, Cloudflare will support that but the connection to your server will be a regular TCP one.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.