Using an Origin Certificate on a nonstandard port?

Hi,

I’m trying to secure a public-facing Node-Red install using a Cloudflare Origin key/certificate. ( SSL “Full” mode in Cloudflare)

The setup on the Node-red side seems fairly straightforward - reference the key and the certificate from its settings.js config file.

Sadly things aren’t working which got me wondering if it related to the fact that the default Node-Red admin port is 1880, not 443 as used on most https protected webservers?

Thanks

That should be Full Strict to begin with.

1 Like

In addition to 80 and 443, the list of supported ports on CloudFlare is:

2052
2053
2082
2083
2086
2087
2095
2096
8080
8443
8880

Taken from here: https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/

1 Like

Thanks, so the suggestion is that my Node-Red install listens on on one of the Cloudflare-supported ports such as 8443? I’ll give that a try. Do those ports need to be enabled anywhere in Cloudflare or are they just “on” ?

They are on and I believe you need to actively disable them in the panel (if you wished to).
Bear in mind that while CloudFlare will now proxy traffic through these ports, they won’t cache static content or perform any performance or app transformations on requests/responses that flow through them.

Thanks. Any idea where in the panel I might find them? I’ve hunted around without any luck.

You can block traffic on ports other than 80 and 443 in Cloudflare paid plans by doing one of the following:

  • If you are using Cloudflare Firewall, enable rule ID 100015: “Anomaly:Port - Non Standard Port (not 80 or 443)”.
  • If you are using the new Cloudflare Web Application Firewall (WAF) announced in March 2021, create a Custom Firewall rule for this purpose (rule ID 100015 was deprecated in the new WAF). For example, you could use a rule configuration similar to the following:
    • Expression: not (cf.edge.server_port in {80 443})
    • Action: Block
1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.