Skip to content

Network ports

Learn which network ports Cloudflare proxies by default and how to enable Cloudflare’s proxy for additional ports.

Network ports compatible with Cloudflare’s proxy

By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.

HTTP ports supported by Cloudflare

  • 80
  • 8080
  • 8880
  • 2052
  • 2082
  • 2086
  • 2095

HTTPS ports supported by Cloudflare

  • 443
  • 2053
  • 2083
  • 2087
  • 2096
  • 8443

Ports supported by Cloudflare, but with caching disabled

  • 2052
  • 2053
  • 2082
  • 2083
  • 2086
  • 2087
  • 2095
  • 2096
  • 8880
  • 8443

How to enable Cloudflare’s proxy for additional ports

If traffic for your domain is destined for a different port than the ones listed above, for example you have an SSH server that listens for incoming connections on port 22, either:

  • Change your subdomain to be gray-clouded, via your Cloudflare DNS app, to bypass the Cloudflare network and connect directly to your origin.
  • Configure a Spectrum application for the hostname running the server. Spectrum supports all ports. Spectrum for all TCP and UDP ports is only available on the Enterprise plan. If you would like to know more about Cloudflare plans, please reach out to your Cloudflare account team.

How to block traffic on additional ports

Block traffic on ports other than 80 and 443 in Cloudflare paid plans by doing one of the following:

Ports 80 and 443 are the only ports compatible with:

  • HTTP/HTTPS traffic within China data centers for domains that have the China Network enabled, and
  • Proxying of Cloudflare Apps

Due to the nature of Cloudflare’s anycast network, ports other than 80 and 443 will be open so that Cloudflare can serve traffic for other customers on these ports. In general, Cloudflare makes available several different products on Cloudflare IPs, so you can expect tools like Netcat and security scanners to report these non-standard ports as open in specific conditions. If you have questions on security compliance, review Cloudflare’s certifications and compliance resources and contact your Cloudflare enterprise account manager for more information.


The WAF’s Cloudflare Managed Ruleset includes a rule that will block traffic at the application layer (layer 7 in the OSI model), preventing HTTP/HTTPS requests over non-standard ports from reaching the origin server.