How to SSH into a Cloudflare-Proxied Server Using Domain Name (When Direct IP Works)


3 views

When your SSH connection works flawlessly with the server's IP address but hangs when using the domain name (especially with Cloudflare), here's what's happening under the hood:

# Working command
ssh root@44.44.44.44

# Hanging command
ssh root@pollnote.com

The dig output reveals the core issue:

pollnote.com.       299 IN  A   104.27.165.70
pollnote.com.       299 IN  A   104.27.164.70

These are Cloudflare's proxy IPs, not your origin server's IP. Cloudflare only proxies HTTP/HTTPS traffic by default.

Key facts about Cloudflare's architecture:

  • Proxies only web traffic (ports 80/443)
  • Non-web traffic (like SSH on port 22) gets dropped
  • This is a security feature, not a bug

Option 1: Bypass Cloudflare for SSH

Create a direct DNS record that bypasses Cloudflare's proxy:

# Add an A record in your DNS settings
ssh.pollnote.com   A   44.44.44.44  (grey cloud icon in Cloudflare)

Then connect using:

ssh root@ssh.pollnote.com

Option 2: Use Cloudflare Spectrum (Enterprise Plan)

For paid plans, you can proxy non-web traffic:

1. Go to Cloudflare Dashboard → Spectrum
2. Add application:
   - Type: SSH
   - Domain: pollnote.com
   - Port: 22
   - Origin: 44.44.44.44:22

Option 3: Port Forwarding Alternative

If you control the server, consider using a different port:

# On your server:
sudo nano /etc/ssh/sshd_config
# Change Port 22 to Port 2222
sudo systemctl restart sshd

# Add firewall rule for 2222
sudo ufw allow 2222/tcp

# In Cloudflare DNS:
ssh.pollnote.com   A   44.44.44.44  (grey cloud)

After making changes, verify with:

dig ssh.pollnote.com +short
# Should return 44.44.44.44

telnet ssh.pollnote.com 22
# Should show SSH banner
  • Always check DNS propagation with dig or nslookup
  • Verify server firewall rules: sudo ufw status
  • Check SSH server logs: journalctl -u ssh --no-pager -n 50
  • For Cloudflare Enterprise users, verify Spectrum application status

html

When you route your domain through Cloudflare, SSH connections behave differently because Cloudflare only proxies HTTP/HTTPS traffic by default. The DNS resolution shows Cloudflare's IPs (104.27.165.70/164.70) instead of your origin server's IP (44.44.44.44).

nslookup pollnote.com
# Returns Cloudflare IPs:
# 104.27.165.70
# 104.27.164.70

This explains why ssh root@pollnote.com hangs - it's trying to connect to Cloudflare's edge servers on port 22.

1. Disable Proxy for SSH Subdomain

In Cloudflare DNS settings:

ssh.pollnote.com   A   44.44.44.44   (grey cloud icon - DNS only)

Then connect using:

ssh root@ssh.pollnote.com

2. Modify SSH Config File

Edit ~/.ssh/config:

Host pollnote
    HostName 44.44.44.44
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa

Now use simple command:

ssh pollnote

3. Cloudflare Spectrum (Enterprise Plan)

For paid users:

# In Cloudflare Dashboard:
Spectrum → Create Application
Application: SSH
Protocol: TCP
Port: 22
Origin: 44.44.44.44:22

Test connectivity:

telnet pollnote.com 22
# Should return SSH banner:
# SSH-2.0-OpenSSH_7.6p1
  • Always use SSH keys instead of passwords
  • Consider changing default SSH port (security through obscurity)
  • Implement fail2ban to block brute force attempts
# Example fail2ban filter for SSH
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

For maximum security, set up a VPN to your server's network first, then SSH to internal IP.

# OpenVPN server config example
dev tun
proto udp
port 1194
server 10.8.0.0 255.255.255.0
push "route 44.44.44.0 255.255.255.0"