China Unicom Broadband Public Network IP Domain Name https:// Based on Cloudflare
For many users with a public IP address on their home broadband, setting up a personal website, blog, or various services is an exciting endeavor. However, a common pain point is that home broadband typically blocks ports 80 and 443, meaning you cannot directly provide services externally through the standard HTTP (port 80) or HTTPS (port 443) ports.
Rendering...
## Introduction
For many users with a public IP address on their home broadband, setting up a personal website, blog, or various services is an exciting endeavor. However, a common pain point is that home broadband typically blocks ports 80 and 443, meaning you cannot directly serve content to the outside world through the standard HTTP (port 80) or HTTPS (port 443) ports. Although it's possible to access services by specifying a non-standard port (e.g., `yourdomain.com:8443`), this is not only aesthetically unpleasing but also loses the "seamless" experience of HTTPS.
This article details how to cleverly utilize Cloudflare's proxy rules functionality, combined with its origin server proxy port rewriting mechanism, to achieve HTTPS domain access under a home broadband public IP. This allows your service to appear as a standard, secure `https://yourdomain.com` to users.
## The Challenge of Home Broadband Public IP: 80/443 Port Restrictions
First, to implement the solution described in this article, **having a home broadband public IP is a prerequisite**. If you are unsure whether you have a public IP, you can contact your broadband provider for consultation.
Even with a public IP, due to policies of domestic ISPs, ports 80 and 443 are typically disabled. This means:
1. **Cannot directly listen on port 80**: Users cannot directly access your service via `http://yourdomain.com`.
2. **Cannot directly listen on port 443**: Users cannot directly access your service via `https://yourdomain.com`.
The traditional solution is to have the server listen on a non-standard port, such as 8080 or 8443, and then access it via `yourdomain.com:8080` or `yourdomain.com:8443`. While this method works, it requires users to remember and input the port number, greatly diminishing the user experience and failing to meet the need for "seamless" HTTPS.
## Cloudflare's Solution: Proxy and Port Rewriting
Cloudflare, as a globally leading CDN and security service provider, offers powerful reverse proxy functionality that is key to solving this problem.
### Core Principle
Cloudflare's solution can be summarized as follows:
1. **Cloudflare as an intermediary proxy**: All user requests are first sent to Cloudflare's global network of edge nodes.
2. **Standard port listening**: Cloudflare's nodes listen on the standard port 443, handling user HTTPS requests.
3. **Origin server proxy port rewriting**: When Cloudflare forwards requests to your home broadband server, it does not attempt to connect to port 443. Instead, it connects to a **different port** you pre-specified that is not blocked by your ISP (e.g., 8443).
4. **Seamless experience**: For end users, they always access your service via `https://yourdomain.com`, unaware of the port translation happening behind the scenes.
### Cloudflare Configuration Steps
1. **Add Domain to Cloudflare**:
If you don't already have a Cloudflare account, please register and log in. Add your domain to Cloudflare and follow the prompts to change your domain's DNS nameservers to those provided by Cloudflare.
2. **Configure DNS Record and Enable Proxy**:
In the Cloudflare DNS management page, add an A record pointing your domain (e.g., `yourdomain.com` or `www.yourdomain.com`) to your home broadband public IP address. **Crucial step**: Ensure the "proxy status" icon for this DNS record is an **orange cloud** (i.e., "proxied" status). This is key to enabling port rewriting and HTTPS.
3. **Cloudflare SSL/TLS Mode Selection**:
Navigate to the "SSL/TLS" -> "Overview" page in your Cloudflare dashboard. It is recommended to select the **"Full (strict)"** mode. This means HTTPS is used between the user and Cloudflare, and also between Cloudflare and your origin server, with Cloudflare validating the authenticity of your origin server's SSL certificate.
4. **Utilize Cloudflare Origin Server Certificate (Optional but Highly Recommended)**:
On the "SSL/TLS" -> "Origin Server" page, you can generate a **Origin Server certificate** provided by Cloudflare. This certificate has a validity period of up to 15 years, significantly reducing the hassle of renewing free certificates like Let's Encrypt every three months. After generating the certificate, save its private key and certificate content; they will be used later for configuring your server (e.g., Nginx).
### Server Configuration Example: Nginx
Using Nginx as an example, your server only needs to listen on a **non-blocked** port and have SSL configured.
1. **Install Nginx**: Ensure Nginx is installed on your server.
2. **Configure SSL Certificate**: Upload the 15-year Origin Server certificate (`yourdomain.com.pem`) and private key (`yourdomain.com.key`) obtained earlier from Cloudflare to your server, for example, in the `/etc/nginx/ssl/` directory.
3. **Nginx Configuration File Example**:
```nginx
server {
# Listen on a non-standard port, e.g., 8443
listen 8443 ssl;
listen [::]:8443 ssl; # IPv6 support
server_name yourdomain.com www.yourdomain.com; # Replace with your domain
# Other configurations omitted
}
```
**Key Point**: `listen 8443 ssl;` - Nginx is listening on port 8443, not 443.
### Router Port Forwarding
Finally, you need to set up a port forwarding rule in your home router's management interface: forward TCP traffic from the **external port** (e.g., 8443) to the **internal port** (e.g., 8443) of your **server's internal IP address**.
Ensure the firewall also allows traffic on this port.
## Implementation Steps Summary
1. **Obtain Home Broadband Public IP**: Confirm that your home broadband has a public IP address.
2. **Router Port Forwarding**: Set up port forwarding on your router to forward an external custom port (e.g., 8443) to the internal custom port (e.g., 8443) of your server.
3. **Cloudflare Domain Configuration**: Add your domain to Cloudflare, configure an A record pointing to the public IP, and ensure the proxy is enabled (orange cloud).
4. **Cloudflare SSL/TLS Mode Selection**: Select the "Full (strict)" SSL/TLS mode in Cloudflare.
5. **Cloudflare Origin Server Certificate**: Generate a 15-year Origin Server certificate in Cloudflare and configure it on your server (e.g., Nginx).
6. **Nginx/Server Configuration**: Configure your web server (e.g., Nginx) to listen on your specified custom port (e.g., 8443) and use the Cloudflare Origin Server certificate for SSL.
## Advantages and Considerations
### Advantages
* **Seamless HTTPS Access**: Users can access your service via `https://yourdomain.com` without needing to enter a port number, providing an experience identical to professional servers.
* **Bypass ISP Port Restrictions**: Effectively circumvents the ISP's blocking of ports 80 and 443.
* **Cloudflare CDN Acceleration and Security**: Your service benefits from Cloudflare's global CDN acceleration, DDoS protection, WAF, and other security features.
* **15-Year Origin Server Certificate**: Eliminates the hassle of frequent SSL certificate renewals, significantly reducing maintenance overhead.
* **Simple Configuration**: On the server side, only the listening port and certificate path need modification; other configurations remain unchanged.
### Considerations
* **Public IP is a Prerequisite**: This solution relies on having a public IP provided by your home broadband.
* **Router Port Forwarding**: Ensure the router's port forwarding is configured correctly and that the firewall is not blocking traffic.
* **Real Client IP**: Due to Cloudflare's proxy, the client IP address directly received by your server will be a Cloudflare IP. If you need to obtain the real client IP, additional configuration (e.g., the `real_ip_header` module) is required on servers like Nginx.
* **Cloudflare Service Stability**: Although Cloudflare is very stable, your service will depend on Cloudflare's availability.
* **Performance Considerations**: Cloudflare's free tier has its limitations; high-traffic services may require an upgraded plan.Comments
Please login to view and post comments
Go to Login