Using cloudflare with specific port request (such as ipfs)

Hi all. Just ported from Namecheap to Cloudflare’s free service.

Good news, my mail server is working just fine.
Bad news, not much else is.

  1. UptimeRobot’s port test are all failing when using DNS, work fine if I hardcode an IP. Is there a way to tell Cloudflare to pass along specific port requests when it redirects via proxy? Should I even have proxy enabled for those DNS addresses? If I don’t, will I still get some level of DDOS protection?

  2. When I use linux to do a nslookup, with Cloudflare as the specific name server, I get a response as expected with 2 IP V4 and 2 IPV6 addresses.

When I use Windows 11 nslookup to do the same I’m getting “No response from server”

A) Find that odd
B) Is there any way to tell Cloudflare NOT to provide IP6 addresses, since my ISP doesn’t support it?

  1. Access to my internally hosted Apache2 webpages is now broke for external access. They are still using letsencrypt certificates, which feels redundant, since Cloudflare is providing certificates, right?
> <VirtualHost 172.16.4.20:443>
> Servername www.kevinsthoughts.com
> DocumentRoot /home/thoughts/public_html/wordpress
> Include /etc/letsencrypt/options-ssl-apache.conf
> SSLCertificateFile /etc/letsencrypt/live/www.kevinsthoughts.com/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/www.kevinsthoughts.com/privkey.pem
> ...

Any suggestions of what I need to do to clean up the above vhost.conf example?

Background) I really started this effort in order to take advantage of Cloudflare’s SSL proxy support for a newly installed IPFS service. Cloudflare’s DDOS protection is, of course, an added bonus. Potentially not having to fool with LetsEncrypt is just extra candy.

  1. Although it appears to be working, I’m a bit concerned about my Postfix based mail service. As do all reasonably up to date mail services, it too uses SSL and is currently using LetsEncrypt certificates. If I could eradicate LetsEncrypt completely, I could free up port 80 for other uses (like my IPFS gateway). Is that possible?

Thanks in advance,
Kevin N. Carpenter

Here are the ports supported by Cloudflare. Cloudflare doesn’t perform any* port translation in its proxy service. If the client connects to port 443 on Cloudflare, the request is forwarded to port 443 on the origin server.

*Technically there is a setting that will allow HTTPS requests to Cloudflare to forward to the origin server via HTTP, but you really shouldn’t do that, so let’s not dwell on it.

Concerning Cloudflare synthesized AAAA RRs, the previous caveat I marked with an asterisk applies. Loosely translated that’s a “No, but technically maybe yes, and also, just don’t.” If your ISP doesn’t support IPv6, your devices should not make any attempts to access your site using IPv6 rendering the topic largely irrelevant.

Your vhost question really depends on how you will be accessing your site. You still need some certificates to secure your origin site. If all access will be through Cloudflare, you could replace your Let’s Encrypt certificate with a Cloudflare origin certificate. Your site will throw an error if you attempt to visit it directly, so you may want to keep your Let’s Encrypt certificates in place. You will need to be careful with certain HTTPS settings in Cloudflare if you use the HTTP-01 validation method.

If you have a Postfix instance that relies on the same LE certificate, you may need to rethink your strategy. Only you can determine what is going to work properly for your Postfix server. If you haven’t yet reviewed the ports documentation I linked earlier, when you do, you will note that it does not include any email ports. This means you cannot proxy any email hostnames without breaking your email, dedicated webmail hostnames excepted.

1 Like

Thanks for your rapid response.

Actually, I have a use case for your exception: IPFS runs on a HTTP port (8080), I’m looking for Cloudflare to accept HTTPS request to that port, handle the security, and pass the unsecured HTTP traffic to my IPFS server. Is it possible to bring HTTPS services to my otherwise HTTP server that way?

IPFS also announces itself on port 4001. I can configure my external monitor (UptimeRobot) to monitor via IP Address - which works for that. Somewhat confident all 4001 traffic will be direct, only HTTP(s) port 8080 traffic will be via DNS, and thus Cloudflare. I think .

Cloudflare only accepts and forwards HTTP connections on port 8080.

It might be worth checking out the IPFS gateway and Cloudflare Web3 docs to see if there is more suitable approach.

The documentation indicates that it is a paid add-on, but I haven’t had much luck finding the pricing. Maybe it’s visible in the dashboard.

Unfortunately, I previously read both of this without any additional insight.

Its amusing, but Cloudflare was recommend to me as the “simply” reverse proxy solution for public IPFS gateways. Oh well.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.