Proxy doesnt work on port 2087

I have a very simple websocket service proxied through cloudflare which is working fine with port 443 :
user (TLS) → (443) CF Edge server --(Flexible)–> (80) web server
I want to use port 2087 on CF Edge server, like this :
user (TLS) → (2087) CF Edge server --(Flexible)–> (80) web server
but it doesnt work. I did some research and found this on documentation :

The WAF’s Cloudflare Managed Ruleset includes a rule that will block traffic at the application layer (layer 7 in the OSI modelOpen external link), preventing HTTP/HTTPS requests over non-standard ports from reaching the origin server.

I think this is the issue. How can I manually unblock port 2087 to reach the origin server ?

  1. You shouldn’t use the legacy mode Flexible in the first place, as that breaks your site and keeps it insecure and without encryption
  2. To prove #1, port 2087 requires a proper SSL setup and you could only rewrite the port, but it would still require a proper setup

In short, fix the security setup by switching to Full Strict and deploying a proper certificate. Once that works you should be able to rewrite to port 80, however that will still require said setup.

Thank your for your reply.
I knew the flexible setting is not end to end encrypted. users to CF are encrypted but CF to origin server is not which was fine in my use-case.
I found out how what the problem was and the solution.
CF treats non standard ports differently. The SSL/TLS settings do not apply to them and they are forwarded to the same port on the origin server.
so in my case the CF was proxying the request in TLS mode to origin server port 2087.
I used a self signed certificate and made the webserver to listen on TLS port 2087 and now it is working fine.

I am afraid it is never fine and is not only dishonest, but will also break your site.

As mentioned you need a proper certificate, a self-signed one does not secure it either. You can use any of the free certificates.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.