Unable to use proxy on A record

I have a domain bought from Melbourne IT. mydomain.net

I’ve had the dnssec records disabled. And I’ve set up the name servers on Melbourne IT as per dns records below.

When I setup the A record with mydomain pointing to my digital ocean droplet ip address, I can only access the running website using postman or browser if I set the a record to DNS Only. If I change that setting to proxy, it’s no longer accessible using postman / browser.

My understanding is which DNS only as a setting my ip address is revealed to all thus making my site more vulnerable.

Any tips on how to get it working with proxy would be appreciated.

Here’s my full set of dns records (exported with dns name and ip address changed)

my-domain.net 3600 IN SOA jose.ns.cloudflare.com. dns.cloudflare.com. 2045945487 10000 2400 604800 3600

;; NS Records
there are two for my-domain and they point to cloudflare name servers, (removed them as per noob restriction)

;; A Records
my-domain.net. 1 IN A 170.69.179.666

;; CNAME Records
there are 2 mail and www for mydomain (removed them as I’m only allowed 4 links as a noob)

What’s the specific error message or code you’re getting? “No longer accessible” could mean a million different things!

Can you share the actual domain name (with Proxy enabled) so we can take a look?

And are you running this over standard HTTP/S ports (80/443)? Cloudflare Proxy works over a limited number of ports: Network ports · Cloudflare Fundamentals docs

Thanks for the quick reply, you are cool!

I’ve enabled proxy on the dns A record and will leave it enabled till I hear back from you.

Previously with proxy disabled (DNS only), the two links below worked, the first presents a Web UI in firefox, the second returns a json payload in postman. Both will prompt for http basic authentication

https://tnt-integration.net:3060/

https://tnt-integration.net:3060/jvm-info/memory

With proxy enabled, both now return:

Firefox: An error occurred during a connection to tnt-integration.net:3060.
Postman: Error: Request timed out

This same application is running on another cloudflare fronted server with the dns a record proxied which has lead me to believe port 3060 should be ok? I do plan to put a reverse proxy in place so it will use port 80 in the future.

Here’s the firewall status

sudo ufw status

Status: active

To Action From


22543/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
3060/tcp ALLOW Anywhere
22543/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
3060/tcp (v6) ALLOW Anywhere (v6)

2 Likes

Hey there @tony52,

Unfortunately port 3060 isn’t a default port that is compatible with the Cloudflare proxy - hence the issue you’re facing accessing https://tnt-integration.net:3060 when enabled.

You can view more on this here: Network ports · Cloudflare Fundamentals docs

To create extra UDP/TCP allowances for additional ports - you will need to look at upgrading your current plan to Cloudflare’s Enterprise plan and look into Cloudflare Spectrum: Protocols per plan · Cloudflare Spectrum docs

I hope this helps!

2 Likes

Thanks again, I’ve updated tomcat to use port 8080 and updated firewall

sudo ufw status
Status: active

To Action From


22543/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
8443/tcp ALLOW Anywhere
22543/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
8443/tcp (v6) ALLOW Anywhere (v6)

Yet when I try to access via https://tnt-integration.net:8080/ using firefox I get:

Secure Connection Failed

An error occurred during a connection to tnt-integration.net:8080. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

and on postman:

Error: write EPROTO 74041224:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:…......\src\third_party\boringssl\src\ssl\tls_record.cc:242:

This was working fine with a record set to dns only on port 3060

any / all advice appreciated

1 Like

Cloudflare’s proxy port 8080 is for HTTP only, not HTTPS. Use 8443 instead or consider origin rules to tell Cloudflare to connect to your origin on any port while using port 443 at the edge.

1 Like

Thanks for your patience with me. It’s all working fine now with proxy enabled on the A record.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.