侧边栏壁纸
博主头像
Wood Chen博主等级

独唱独酬,独行独坐还独卧

  • 累计撰写 233 篇文章
  • 累计创建 166 个标签
  • 累计收到 9 条评论

目 录CONTENT

文章目录

Cloudflared支持代理的端口

wood
2024-05-28 / 0 评论 / 0 点赞 / 60 阅读 / 5221 字

Network ports compatible with Cloudflare’s proxy

By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.

HTTP ports supported by Cloudflare
  • 80
  • 8080
  • 8880
  • 2052
  • 2082
  • 2086
  • 2095
HTTPS ports supported by Cloudflare
  • 443
  • 2053
  • 2083
  • 2087
  • 2096
  • 8443
Ports supported by Cloudflare, but with caching disabled
  • 2052
  • 2053
  • 2082
  • 2083
  • 2086
  • 2087
  • 2095
  • 2096
  • 8880
  • 8443

Enterprise customers that want to enable caching on these ports can do so by creating a cache rule.

How to enable Cloudflare’s proxy for additional ports

If traffic for your domain is destined for a different port than the ones listed above, for example you have an SSH server that listens for incoming connections on port 22, either:

  • Change your subdomain to be gray-clouded, via your Cloudflare DNS app, to bypass the Cloudflare network and connect directly to your origin.
  • Configure a Spectrum application for the hostname running the server. Spectrum supports all ports. Spectrum for all TCP and UDP ports is only available on the Enterprise plan. If you would like to know more about Cloudflare plans, please reach out to your Cloudflare account team.

How to block traffic on additional ports

Block traffic on ports other than 80 and 443 in Cloudflare paid plans by doing one of the following:

  • If you are using WAF managed rules (previous version), enable rule ID 100015​ (Anomaly:Port - Non Standard Port (not 80 or 443)​).
  • If you are using the new Cloudflare Web Application Firewall (WAF), enable rule ID <span class="ruleID" title="Click to copy the full ID">...664ed6fe <svg fill="currentcolor" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" class="icon-copy"><path d="M14 1.5H6l-.5.5v2.5h1v-2h7v7h-2v1H14l.5-.5V2l-.5-.5z"></path><path d="M2 5.5l-.5.5v8l.5.5h8l.5-.5V6l-.5-.5H2zm7.5 8h-7v-7h7v7z"></path></svg></span>​ (Anomaly:Port - Non Standard Port (not 80 or 443)​), which is disabled by default. This rule is part of the Cloudflare Managed Ruleset.

Ports 80 and 443 are the only ports compatible with:

Due to the nature of Cloudflare’s Anycast network, ports other than 80​ and 443​ will be open so that Cloudflare can serve traffic for other customers on these ports. Tools like Netcat will report these non-standard HTTP ports as open.

The WAF’s Cloudflare Managed Ruleset includes a rule that will block traffic at the application layer (layer 7 in the OSI modelOpen external link), preventing HTTP/HTTPS requests over non-standard ports from reaching the origin server.

Cloudflare Access does not support port numbers in URLs. Port numbers are stripped from requests for URLs protected through Cloudflare Access.

Related resources

Cloudflare DashboardOpen external link · CommunityOpen external link · Learning CenterOpen external link · Support PortalOpen external link · Cookie Preferences

Edit on GitHubOpen external link · Updated 1 month ago

0

评论区