Preface

What does "building a website with a public IP but without legal ports 80 and 443" mean? This mainly refers to two scenarios: home broadband with a public IP and unregistered cloud hosts.

1. Home broadband with public IP

Currently, for home broadband with public IP (mainly IPv6 public IP addresses and a small number of existing IPv4 public IP addresses), ports 80 and 443 are blocked directly at the network level. Most people are accustomed to entering the domain name in the browser address bar and then pressing Enter to access. Few people can accept the method of entering the complete link and then adding the port number to access, for example:http://www.example.com:55555orhttps://www.example.com:55555(Even if someone is willing, they will feel that it is not very cool...), and the premise for accessing it by directly entering the domain name in the browser address bar and pressing Enter is that ports 80 and 443 are available. Therefore, for friends who have a public IP at home broadband and want to use it to build a website, solving the problem of ports 80 and 443 is the first problem that needs to be solved.

---

Let me talk a little bit first. Actually, it is very difficult to get a public IPv4 address for a newly installed home broadband. According to the reply from Chengdu Telecom, it seems that the country has been implementing some kind of strong country policy since 2002. The public IPv4 address of the newly installed broadband is not allocated (unless you use a package of 399 or above and pay an additional service fee of 100 yuan per month~~~, I just want to ask you if you are afraid), but the public IPv6 address can be obtained. The existing public IPv4 addresses are basically reserved by old users by default, and if these old users upgrade their packages, they cannot even guarantee that the public IPv4 address will be available (it is said that the public IPv4 address can be recovered by complaining to the Ministry of Industry and Information Technology before, but it may take half a month to one month. I think if it is really a national policy, it is hard to say whether the complaint will be useful in the future). Of course, if you don’t consider multi-dial, just from the perspective of website construction, there is no difference between IPv6 and IPv4, and in fact, the public IPv6 address can also be multi-dial, but it is not popular yet and the cost of use is relatively high. I will write a separate article to talk about this later.

---

2. There is a cloud host but the domain name is not registered

With a cloud host, you have a fixed public IPv4 address, and ports 80 and 443 are accessible at the network layer. However, if your domain name is not registered, even if the domain name is resolved to the fixed public IPv4 address of the cloud host, it is still inaccessible. This is because of the existence of the registration system. In short, as long as it is the http protocol, whether it is http (port 80) or https (port 443), ubiquitous monitoring will check the host field of your http request, and will compare the domain name visited with the whitelist of the registered address library. If it is a registered domain name, you are allowed to access it normally; if it is an unregistered domain name, the corresponding prompt box will pop up according to the cloud provider to which the IP you resolved belongs. For example, if the IP is a host of Tencent Cloud, the following prompt will pop up:

At this time, your access request is redirected to this page before it even reaches the destination. It is worth mentioning that this detection and interception is only for ports 80 and 443, that is, http and https type access without adding ports, so if other ports (not 80 and 443) are added, they will not be affected by the filing system. Of course, normal people are not willing to add this port.

The above two scenarios are probably the ones we encounter most often. So whether you want to build a website using home broadband with a public IP or have a cloud host with a fixed public IP but don’t want to register a domain name, the first priority is to solve the problem of not being able to use ports 80 and 443.

那么如何解决这个问题呢？要说清楚这个，需要首先能理解CDN对应的”源站”这个概念。

CDN source site

简单来说，CDN就是一个分布式的大型反向代理，而”源站”就是配置反向代理时需要指定的后端真实服务器的访问url，以宝塔linux面板配置的反向代理为例：

CDN的”源站”就是类似于反向代理红框中配置的目标URL。

If the domain name is a registered domain name, you can use the CDN service of a domestic cloud provider. Take Tencent Cloud's CDN configuration as an example to see the options:

You can see that Tencent Cloud's CDN has optional options for source station type, source station protocol, source station address, and back-to-source HOST. The most important thing is that the source station address can be selected as IP or domain name, and the port is optional, which means it can be a non-standard port (80 and 443). Combined with the back-to-source HOST that can be specified separately later, the scope of play is very large. For example: specifying the source station as a domain namesource.example.com, the port number is 55555, and you can directly point the source site to an organization or individual that provides a similar hosting server (such as a home broadband with a public IP), and then just put your own website domain name as the back-source HOST on the device of this organization or individual and configure it correctly to use it as the source site of the CDN (this is how my blog is, which is why I call it a home data center).

Unfortunately, Cloudflare's default DNS proxy method cannot specify ports like Tencent Cloud CDN:
For example, the free version of cloudflare:

That is to say, the source site address can only be an IP, and there is no port option, that is, only standard ports (80 and 443 in mainland China, and more default ports in other regions), and no back-to-origin HOST. In other words, there must be a corresponding site named blog.example.com on port 80 or 443 of the specified IP: 43.44.45.46, unlike the back-to-origin host configured by Tencent Cloud CDN, which can be other site names.

It is true that the back-to-origin site name cannot be randomly written like Tencent Cloud CDN (after all, CloudFlare works based on DNS domain names), but are the source ports really limited to 80 and 443? The two main scenarios mentioned above do not have ports 80 and 443.

In fact, it can be solved. This can be achieved through the Origin Rules function of Cloudflare.

Origin Rules

由上图可知，官方介绍为：”自定义匹配流量的去向以及使用哪些参数。允许主机标头、SNI、DNS 记录和目标端口替代”，注意目标端口替代，这个就是可以自定义源站的目标端口。

Click Create Rule:

The figure above creates a simplest back-to-origin rule: when the incoming request is https (cloudlflare will automatically use https), the destination port of the origin server is changed to 55555. Of course, you can also add rules in the and or or way, for example:

As shown in the figure above, after adding an and, only accesshttps://www.example.comThe source port of this host name is 55555, so different host names can correspond to different source ports, which is more flexible. In addition to host name and SSL/HTTPS, there are many other options:

You can choose according to your needs.

shortcoming

This method can indeed solve the problem of port 80,443, but it has the following two disadvantages:
1. The DNS resolution of the domain name must be pointed to cloudflare
If the domain name is purchased from a domestic DNS provider (such as Alibaba Cloud or Tencent Cloud), you need to point the DNS to cloudflare and make corresponding settings (for specific steps, please refer to my other article:A series of tricks to quickly access domestic sites from abroad through domestic cloud hosting for free with CloudFlare)
2. Domestic access speed depends on your luck
因为使用cloudflare建站属于”境外”网站，毕竟没有经过备案，这种国内是有负优化的，各个省份访问速度比较看脸。所以如果很在乎国内访问体验，还是老老实实备案把～～。

In addition: Currently using cloudflare to build a website, I provide two solutions for those with and without public IP: For those without public IP, only tunnel can be used (see:A series of tricks to quickly build a website using cloudflare for free at home broadband without a public IP (general purpose)), and the public IP has legal ports 80 and 443 (see:A series of tricks to quickly access domestic sites from abroad through domestic cloud hosting for free with CloudFlare) and no legal 80,443 ports (which is the method described in this article). Among them, tunnel can be used regardless of whether there is a public IP or not. It is a real one-stop method, and the speed is not necessarily much slower. The key is that it is safer (after all, it is considered to directly penetrate the internal environment). Therefore, under normal circumstances, I suggest using the tunnel method as much as possible, but please configure the DDOS, WAF and other security policies provided by cloudflare. After all, in this case, security can only rely on cloudflare.

Below is the access speed of domain names with different website building methods that I tested using webmaster tools, for your reference.

The test results of directly changing the source station port to point to the domain name corresponding to the home broadband public IP using the method in this article are as follows:

The test results of using tunnel to simulate the corresponding domain name of a home broadband website without a public IP:

The above two test results are actually very similar. Because the test results are different each time, it is difficult to compare which one is faster. If you have the conditions, you can also test and compare it yourself.