Solve the problem of having a public IP address but lacking valid ports 80 and 443 by using Cloudflare's Origin Rules.
This article was last updated 184 days ago. The information in it may have developed or changed. If it is invalid, please leave a message in the comment section.
Article Summary
针对家庭宽带或未备案云主机因无法使用80/443端口导致的建站难题,通过Cloudflare的Origin Rules功能实现非标准端口回源。该方案利用自定义规则指定目标端口(如55555),结合回源HOST配置,使流量绕过端口限制并指向实际服务器。尽管需依赖Cloudflare DNS解析且国内访问速度存在波动,但有效解决了端口封禁问题,尤其适用于IPv6地址或未备案场景。文章同时提及Tunnel方案作为替代,但强调当前方案在特定场景下的可行性及实际应用效果。
Qwen3-14B · 2026-06-18

Preface

What does "building a website with a public IP but without legal ports 80 and 443" mean? This mainly refers to two scenarios: home broadband with a public IP and unregistered cloud hosts.

1. Home broadband with public IP

Currently, for home broadband with public IP (mainly IPv6 public IP addresses and a small number of existing IPv4 public IP addresses), ports 80 and 443 are blocked directly at the network level. Most people are accustomed to entering the domain name in the browser address bar and then pressing Enter to access. Few people can accept the method of entering the complete link and then adding the port number to access, for example:http://www.example.com:55555orhttps://www.example.com:55555(Even if someone is willing, they will feel that it is not very cool...), and the premise for accessing it by directly entering the domain name in the browser address bar and pressing Enter is that ports 80 and 443 are available. Therefore, for friends who have a public IP at home broadband and want to use it to build a website, solving the problem of ports 80 and 443 is the first problem that needs to be solved.


Let me talk a little bit first. Actually, it is very difficult to get a public IPv4 address for a newly installed home broadband. According to the reply from Chengdu Telecom, it seems that the country has been implementing some kind of strong country policy since 2002. The public IPv4 address of the newly installed broadband is not allocated (unless you use a package of 399 or above and pay an additional service fee of 100 yuan per month~~~, I just want to ask you if you are afraid), but the public IPv6 address can be obtained. The existing public IPv4 addresses are basically reserved by old users by default, and if these old users upgrade their packages, they cannot even guarantee that the public IPv4 address will be available (it is said that the public IPv4 address can be recovered by complaining to the Ministry of Industry and Information Technology before, but it may take half a month to one month. I think if it is really a national policy, it is hard to say whether the complaint will be useful in the future). Of course, if you don’t consider multi-dial, just from the perspective of website construction, there is no difference between IPv6 and IPv4, and in fact, the public IPv6 address can also be multi-dial, but it is not popular yet and the cost of use is relatively high. I will write a separate article to talk about this later.


2. There is a cloud host but the domain name is not registered

With a cloud host, you have a fixed public IPv4 address, and ports 80 and 443 are accessible at the network layer. However, if your domain name is not registered, even if the domain name is resolved to the fixed public IPv4 address of the cloud host, it is still inaccessible. This is because of the existence of the registration system. In short, as long as it is the http protocol, whether it is http (port 80) or https (port 443), ubiquitous monitoring will check the host field of your http request, and will compare the domain name visited with the whitelist of the registered address library. If it is a registered domain name, you are allowed to access it normally; if it is an unregistered domain name, the corresponding prompt box will pop up according to the cloud provider to which the IP you resolved belongs. For example, if the IP is a host of Tencent Cloud, the following prompt will pop up:

image.png

At this time, your access request is redirected to this page before it even reaches the destination. It is worth mentioning that this detection and interception is only for ports 80 and 443, that is, http and https type access without adding ports, so if other ports (not 80 and 443) are added, they will not be affected by the filing system. Of course, normal people are not willing to add this port.

The above two scenarios are probably the ones we encounter most often. So whether you want to build a website using home broadband with a public IP or have a cloud host with a fixed public IP but don’t want to register a domain name, the first priority is to solve the problem of not being able to use ports 80 and 443.

So how do we solve this problem? To explain this clearly, we first need to understand the concept of "origin station" corresponding to CDN.

CDN source site

In simple terms, CDN is a large distributed reverse proxy, and the "origin station" is the access URL of the backend real server that needs to be specified when configuring the reverse proxy. Take the reverse proxy configured by Baota Linux panel as an example:

image.png

The "origin site" of CDN is similar to the target URL configured in the red box of the reverse proxy.

If the domain name is a registered domain name, you can use the CDN service of a domestic cloud provider. Take Tencent Cloud's CDN configuration as an example to see the options:

image.png

You can see that Tencent Cloud's CDN has optional options for source station type, source station protocol, source station address, and back-to-source HOST. The most important thing is that the source station address can be selected as IP or domain name, and the port is optional, which means it can be a non-standard port (80 and 443). Combined with the back-to-source HOST that can be specified separately later, the scope of play is very large. For example: specifying the source station as a domain namesource.example.com, the port number is 55555, and you can directly point the source site to an organization or individual that provides a similar hosting server (such as a home broadband with a public IP), and then just put your own website domain name as the back-source HOST on the device of this organization or individual and configure it correctly to use it as the source site of the CDN (this is how my blog is, which is why I call it a home data center).

Unfortunately, Cloudflare's default DNS proxy method cannot specify ports like Tencent Cloud CDN:
For example, the free version of cloudflare:

image.png

That is to say, the source site address can only be an IP, and there is no port option, that is, only standard ports (80 and 443 in mainland China, and more default ports in other regions), and no back-to-origin HOST. In other words, there must be a corresponding site named blog.example.com on port 80 or 443 of the specified IP: 43.44.45.46, unlike the back-to-origin host configured by Tencent Cloud CDN, which can be other site names.

It is true that the back-to-origin site name cannot be randomly written like Tencent Cloud CDN (after all, CloudFlare works based on DNS domain names), but are the source ports really limited to 80 and 443? The two main scenarios mentioned above do not have ports 80 and 443.

In fact, it can be solved. This can be achieved through the Origin Rules function of Cloudflare.

Origin Rules

image.png

As can be seen from the above figure, the official introduction is: "Customize the destination of matching traffic and which parameters to use. Allow host header, SNI, DNS record and destination port substitution". Pay attention to the destination port substitution, which means that the destination port of the source station can be customized.

Click Create Rule:

image.png

The figure above creates a simplest back-to-origin rule: when the incoming request is https (cloudlflare will automatically use https), the destination port of the origin server is changed to 55555. Of course, you can also add rules in the and or or way, for example:
image.png

As shown in the figure above, after adding an and, only accesshttps://www.example.comThe source port of this host name is 55555, so different host names can correspond to different source ports, which is more flexible. In addition to host name and SSL/HTTPS, there are many other options:
image.png

You can choose according to your needs.

shortcoming

This method can indeed solve the problem of port 80,443, but it has the following two disadvantages:
1. The DNS resolution of the domain name must be pointed to cloudflare
If the domain name is purchased from a domestic DNS provider (such as Alibaba Cloud or Tencent Cloud), you need to point the DNS to cloudflare and make corresponding settings (for specific steps, please refer to my other article:A series of tricks to quickly access domestic sites from abroad through domestic cloud hosting for free with CloudFlare)
2. Domestic access speed depends on your luck
Because using CloudFlare to build a website is considered an "overseas" website, after all, it has not been registered. This has negative optimization in China, and the access speed in each province is more dependent on luck. So if you care about the domestic access experience, it is better to register it honestly.

In addition: Currently using cloudflare to build a website, I provide two solutions for those with and without public IP: For those without public IP, only tunnel can be used (see:A series of tricks to quickly build a website using cloudflare for free at home broadband without a public IP (general purpose)), and the public IP has legal ports 80 and 443 (see:A series of tricks to quickly access domestic sites from abroad through domestic cloud hosting for free with CloudFlare) and no legal 80,443 ports (which is the method described in this article). Among them, tunnel can be used regardless of whether there is a public IP or not. It is a real one-stop method, and the speed is not necessarily much slower. The key is that it is safer (after all, it is considered to directly penetrate the internal environment). Therefore, under normal circumstances, I suggest using the tunnel method as much as possible, but please configure the DDOS, WAF and other security policies provided by cloudflare. After all, in this case, security can only rely on cloudflare.

Below is the access speed of domain names with different website building methods that I tested using webmaster tools, for your reference.

The test results of directly changing the source station port to point to the domain name corresponding to the home broadband public IP using the method in this article are as follows:

image.png

The test results of using tunnel to simulate the corresponding domain name of a home broadband website without a public IP:
image.png

The above two test results are actually very similar. Because the test results are different each time, it is difficult to compare which one is faster. If you have the conditions, you can also test and compare it yourself.

📌 Content Structure Hints:
This content belongs to "Cloudflare Learning MapThis is part of the document; you can view the full content path here: Cloudflare Learning Map .
View related categories · 3 matches
📎 Related Articles
Share this article
All blog content is original; please indicate the source when reprinting! The blog's RSS address is:https://blog.tangwudi.com/feed, welcome to subscribe; if necessary, you can joinTelegram GroupDiscuss the problem together.
No Comments

Send Comment Edit Comment


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠(ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ°Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
Emoticons
Emoji
Little Dinosaur
flower!
Previous
Next
       

👋 Welcome to "Invincible Personal Blog"“

This section will focus on long-term exploration in the following areas:

🧱 Building Personal Digital Infrastructure and Blog Systems
☁️ Cloudflare and Network Architecture Practices
🧠 Exploring AI and Knowledge Systems
🛡️ Network security and access optimization
🎵 Music and Sound Cognition
👁️ Cognitive Perspective and Worldview