Specifying Ports For Origin Server?

Hello, I am new to Cloudflare (using the free CDN service) and have a question that I’m hoping someone can help me out with.

  1. I have an Apache web server running on CentOS behind a firewall that I would like to limit to SSL only. I have confirmed it is accessible by IP over the internet and I am at the part where I just need to set up SSL between Cloudflare CDN and the origin server.

However, I need to host two websites on different domains that must both be SSL only. If I’m understanding the Apache documentation correctly, it is saying that to do multiple domains/websites on the same server, I must use virtual hosts which seems to work fine on http port 80 but not 443 https for separate domains. The documentation seems to indicate that this is expected behavior and to host multiple https websites for multiple domains I just need to create a 2nd CentOS/Apache server.

I can do that but I only have one single public IP to work with at the moment. So, I was thinking of setting up a 2nd server that listens on a custom SSL port so I can just port forward and they can share the same public IP. But with Cloudflare, I’m not seeing the option to specify the custom port for the origin server to tell Cloudflare to try a specific, custom https port for a specific domain.

Does anyone know where/how I can set that option or if what I’m trying to do is even possible?

Thank you so much in advance for any time and assistance!

Maybe Portzilla can help.

I think the correct domain for that application may be portzilla.networkchimp.com instead?

1 Like

Thank you for the reference! Yes, if this is not a native option in Cloudflare, it looks like this may be the way to go.

1 Like

I do not believe this is correct, and has not been correct for a very long time. Can you link to the documentation you are using? An Apache config like this should work. It requires the browser to support SNI, but that has not been an issue since the Windows XP days. Apache v2.2.12 (released 11 years ago!) and OpenSSL v0.9.8j and later support SNI.

<VirtualHost *:443>
    ServerName www.example.com
    ServerAlias example.com
    SSLEngine on
    SSLCertificateFile certs/example.com.pem
    SSLCertificateKeyFile certs/example.com.key
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.net
    ServerAlias example.net
    SSLEngine on
    SSLCertificateFile certs/example.net.pem
    SSLCertificateKeyFile certs/example.net.key
</VirtualHost>

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder     off
SSLSessionTickets       off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

There is no need for custom ports or similar tricks.

3 Likes

Thank you so much for this information! I’m a bit new to this so I think I was confused by this document I was reading: https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHosts where it states “As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port.” This is dated May, 2019. But then there is a link to info on SNI at the top of that same page that I completely overlooked. I probably just botched the config so I’ll use yours as a baseline. Thank you so much for setting me straight! I just need to be slapped around a bit until I know what I’m doing. :slight_smile:

Okay, yup, you were of course right. I’ve used your example as a baseline and fixed my configuration errors. Everything seems to be working as expected now. Thank you so much!

I suspect that is the date they bulk migrated all the content on that wiki to a new platform.