Zero Trust web app on non-standard port?

Hello, I have an application serving a web page on a random TCP port that I cannot change. Is it possible protect this app with Zero Trust “Self-Hosted” option?

Zero Trust self-hosted applications do not care about ports/cover all port options. If you specify a self-hosted app on, it will cover as well, for example.

You will need to enable proxy (:orange:) to put a self-hosted application behind Cloudflare Access though, which requires it to one of Cloudflare’s Network Ports (, or you can use an Origin Rule ( to rewrite the destination port Cloudflare connects to.

You could also use a Cloudflare Tunnel to do this, which would let you install a lightweight daemon on the server (cloudflared), which creates a secure outbound connection to Cloudflare. Tunnels can be configured to use any local port, as the service itself (cloudflared) connects locally to it, making the connection something like (Cloudflare → Secure Tunnel → cloudflared → Origin Web Server). Tunnels also have the benefit of being one click to enable JWT Validation, ensuring the user really did pass through your specific Access Application (in the Zero Trust Dash, it’s an option under Public Hostname → Additional application Settings → Access → Enable Protect with Access and select your Access application). Tunnels are great for exposing an internal resource in a secure way.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.