Access timeout after Cloudflare proxy

Due to some reasons, I use Cloudflare to proxy the services on my server, mainly to simply hide the server's IP and possibly have an acceleration effect~ But I encountered some puzzling problems.

I ran two services using Docker, one intended to be mapped to port 8443 using HTTPS; the other running on port 8002 using regular HTTP, without SSL support.

After configuring DNS, when I started using the domain name to access port 8443 with HTTPS, it timed out; then when accessing 8002, it also timed out;
At first, I thought there was a problem with the services, but after investigating, I didn't find any issues. When I tested accessing it using the IP, it was normal.

I wasted a lot of time in the middle asking ChatGPT, whether it was ChatGPT, Bing, or Bard, their answers were all nonsense; AI is indeed not very reliable... wasted time.

Based on my understanding, since there were no issues with accessing the IP, the server configuration should be fine. It should be a problem with the Cloudflare configuration;
Since there was a timeout when accessing 8443 with HTTPS, there should be an issue with the SSL/TLS configuration. According to the documentation, it is easy to understand the four proxy modes, with the most commonly used being Flexible and Full.

  • When using the Flexible mode, CF will access the origin server in the same way as the visitor's request, whether it is using HTTP or HTTPS. In this case, the origin server does not need an SSL certificate;
  • When using the Full mode, CF will connect to the origin using the scheme requested by the visitor. That is, if the visitor uses http, Cloudflare will connect to the origin using plain text HTTP, and vice versa.
    This mode does not verify the origin server's SSL certificate, so self-signed certificates or certificates issued by CF can be used.

I currently have the Flexible mode configured, which means it will access the origin server using HTTP, so it indeed won't work. After changing to Full mode, I tested and found that accessing 8443 worked fine.

However, this does not explain why port 8002 timed out. 8002 supports HTTP, but it still cannot be accessed. Of course, after changing to Full mode, 8002 cannot be accessed via HTTPS. I changed to a different domain name, used the Flexible mode, but still couldn't access 8002.

Finally, I found the reason in the Flexible mode explanation in the official documentation:

Flexible mode is only supported for HTTPS connections on port 443 (default port). Other ports using HTTPS will fall back to Full mode.

In other words, the Flexible mode has a limitation that it only supports HTTPS connections on port 443. If other ports are used, it will fall back to Full mode.
So, if you want to use CF's HTTPS, do not customize the port. Changing the service port from 8002 to 80 did indeed work.

However, I don't want to use port 80 to provide the service, I still want to use HTTPS. In the end, I added Nginx to the server to support SSL.
But still, the access timed out.

The situation now is a bit tricky:
Cloudflare is currently in Full mode, and when accessed using HTTPS, 8443 works fine; 8002 times out;
Both of these services support SSL, and accessing them via IP works fine;

If both timed out, it can be said that there is a problem with the Cloudflare configuration. Now that IP access is working, one times out after Cloudflare proxy, using the same configuration, the same domain name, this is very puzzling.

Intuitively, there must be some restriction or configuration in Cloudflare. I kept asking various LLM models during the process, and there were no issues based on the answers. But if I asked further, the answers were just made up...

Later, I was about to give up and decided to check the Cloudflare documentation and also searched on Google. Finally, I found this article in the documentation:

HTTP ports supported by Cloudflare

  • 80
  • 8080
  • 8880
  • 2052
  • 2082
  • 2086
  • 2095

HTTPS ports supported by Cloudflare

  • 443
  • 2053
  • 2083
  • 2087
  • 2096
  • 8443

When I saw this, I was quite speechless. It just so happened that 8443 was on the whitelist...

Since that's the case, it seems that 8002 cannot be used?
During the search process, I found that there is an Origin Rules in the rules, which can rewrite the port based on the hostname;
So, I can add a subdomain in DNS, match it based on Origin Rules, and then rewrite the port to the origin server's 8002, so I can directly use 443 for access.
It is working.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.