Proxying just Web traffic, but not *other* ports on the *same* server entry

Hi all,

I have what seems to be a very stupid question.
Obviously, Cloudflare works as a very sophisticated web proxy. It can handle several different ports, and you can add more if you’re on a paid account, which will have access to Cloudflare Spectrum — this will allow proxying traffic for other services beside HTTP/HTTPS.
So far, so good.
Activating Cloudflare on one subdomain but not on another will expose the real server IP addresses of all subdomains not activated (i.e. ‘grey cloud’). Subdomains being proxied (‘orange cloud’) will use one of the many Cloudflare IP addresses.
Still good.
Now, here comes my issue. I have several different services running on a specific subdomain, say, subdomain.mydomain.tld. Let’s imagine it’s my main mail server, but it also runs Jabber, IRC, and a few non-standard obscure applications on other ports, most of which ‘above 1024’. Some of these might even use quasi-HTTP traffic (imagine specific RESTful APIs with a very limited feature set), but most will simply whatever protocol is specific to them (such as, say, SSH, or games).
In general, such subdomains will be configured as unproxied — thus their IP address will be the real IP address for the server where such applications are running. In fact, Cloudflare won’t be doing anything with a ‘grey cloud’ subdomain, except for resolving DNS requests. All traffic will go directly from the client to the server, bypassing Cloudflare entirely — as it should. Spectrum users might have different needs and the ability to configure Spectrum to fit their needs, but regular, non-paying users either have the choice of having their server fully exposed to the Internet or to have its web traffic proxied via Cloudflare.
Some users have found the need to selectively proxying requests depending on the actual URL being passed (see I want to bypass url redirection for some urls and do the redirection on all other urls specified in my pattern) and use some kind of pattern matching. This is also possible — but, again, it might require Spectrum or some extra options on the Dashboard which are only available to paying customers.
Well, my needs are a little different.
subdomain.mydomain.tld, as said, runs (for the sake of an example) SMTP mail, SSH, IRC, and a few other specific protocols which are used by gaming networks. To activate those, all that is needed is to turn the proxy directive to off. Ok, that’s easy to do.
But what if that subdomain also runs an HTTP server?
A typical example: since subdomain.mydomain.tld runs a mail server using Postfix + Dovecot, and because the reverse IP of a mail server must match its domain name, it cannot be proxied by Cloudflare, but needs to be ‘fully exposed’ to the Internet; but what if this very same server also runs a webmail service? It would certainly benefit from Cloudflare protection; since such a server might run only on ports 80 and 443, these would be the only ports requiring proxying, while leaving the remaining ports ‘exposed’ to the Internet.
Currently, the only alternative that I found for the above issue is to add a new subdomain, possibly even only with a CNAME (e.g. have a webmail.mydomain.tld CNAME’d to subdomain.mydomain.tld), and click the orange cloud only for the CNAME, not for the ‘real’ server.
While this works, it does not cover all possible use-cases; in some scenarios, it might be impossible — or impractical — to add a CNAME just to get full Cloudflare protection on the (standard) web services, while leaving the remaining ports exposed.
Perhaps I’m over-complicating things (since I have always the CNAME workaround); or perhaps this is incredibly easy to accomplish — I just can’t find the appropriate option on the dashboard, and I might have not hit on the precise set of keywords that will search for the answer I need…
What I’m asking for is a more fine-grained solution (it could be a rule, or a checkbox…) where I can configure Cloudflare to effectively proxy ports 80 and 443 (and the others mentioned before), but not any other port, which will remain ‘exposed’ to the Internet.
Is that possible?
Sorry for the long question, but I hope that it makes sense to you…


What you seem to be asking is that only requests to 80 and 443 go via the proxies and all the rest goes directly to the server. Is that right?

That’s not possible as DNS is hostname specific and does not know anything about ports. A hostname can only resolve to “one” address and that will be either the proxies or the origin, you can’t split by port.

What you could do (but that would be one a whole different level and would require support from the client software) is use SRV records instead, which do support specifying the service and port. In that case you could set up an SRV record for service A and point it to a proxied hostname and another SRV record for service B and point it to an unproxied one. However that would require that the client software supports SRV records and browsers, for example, do not.

You dont have to turn anything off. Just add MX records in your dns for email. The other services should work fine with the ‘proxying’ on.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.