How to SSH into a Cloudflare-Proxied Server Using Domain Name (When Direct IP Works)


15 views

When your SSH connection works flawlessly with the server's IP address but hangs when using the domain name (especially with Cloudflare), here's what's happening under the hood:

# Working command
ssh root@44.44.44.44

# Hanging command
ssh root@pollnote.com

The dig output reveals the core issue:

pollnote.com.       299 IN  A   104.27.165.70
pollnote.com.       299 IN  A   104.27.164.70

These are Cloudflare's proxy IPs, not your origin server's IP. Cloudflare only proxies HTTP/HTTPS traffic by default.

Key facts about Cloudflare's architecture:

  • Proxies only web traffic (ports 80/443)
  • Non-web traffic (like SSH on port 22) gets dropped
  • This is a security feature, not a bug

Option 1: Bypass Cloudflare for SSH

Create a direct DNS record that bypasses Cloudflare's proxy:

# Add an A record in your DNS settings
ssh.pollnote.com   A   44.44.44.44  (grey cloud icon in Cloudflare)

Then connect using:

ssh root@ssh.pollnote.com

Option 2: Use Cloudflare Spectrum (Enterprise Plan)

For paid plans, you can proxy non-web traffic:

1. Go to Cloudflare Dashboard → Spectrum
2. Add application:
   - Type: SSH
   - Domain: pollnote.com
   - Port: 22
   - Origin: 44.44.44.44:22

Option 3: Port Forwarding Alternative

If you control the server, consider using a different port:

# On your server:
sudo nano /etc/ssh/sshd_config
# Change Port 22 to Port 2222
sudo systemctl restart sshd

# Add firewall rule for 2222
sudo ufw allow 2222/tcp

# In Cloudflare DNS:
ssh.pollnote.com   A   44.44.44.44  (grey cloud)

After making changes, verify with:

dig ssh.pollnote.com +short
# Should return 44.44.44.44

telnet ssh.pollnote.com 22
# Should show SSH banner
  • Always check DNS propagation with dig or nslookup
  • Verify server firewall rules: sudo ufw status
  • Check SSH server logs: journalctl -u ssh --no-pager -n 50
  • For Cloudflare Enterprise users, verify Spectrum application status

html

When you route your domain through Cloudflare, SSH connections behave differently because Cloudflare only proxies HTTP/HTTPS traffic by default. The DNS resolution shows Cloudflare's IPs (104.27.165.70/164.70) instead of your origin server's IP (44.44.44.44).

nslookup pollnote.com
# Returns Cloudflare IPs:
# 104.27.165.70
# 104.27.164.70

This explains why ssh root@pollnote.com hangs - it's trying to connect to Cloudflare's edge servers on port 22.

1. Disable Proxy for SSH Subdomain

In Cloudflare DNS settings:

ssh.pollnote.com   A   44.44.44.44   (grey cloud icon - DNS only)

Then connect using:

ssh root@ssh.pollnote.com

2. Modify SSH Config File

Edit ~/.ssh/config:

Host pollnote
    HostName 44.44.44.44
    User root
    Port 22
    IdentityFile ~/.ssh/id_rsa

Now use simple command:

ssh pollnote

3. Cloudflare Spectrum (Enterprise Plan)

For paid users:

# In Cloudflare Dashboard:
Spectrum → Create Application
Application: SSH
Protocol: TCP
Port: 22
Origin: 44.44.44.44:22

Test connectivity:

telnet pollnote.com 22
# Should return SSH banner:
# SSH-2.0-OpenSSH_7.6p1
  • Always use SSH keys instead of passwords
  • Consider changing default SSH port (security through obscurity)
  • Implement fail2ban to block brute force attempts
# Example fail2ban filter for SSH
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

For maximum security, set up a VPN to your server's network first, then SSH to internal IP.

# OpenVPN server config example
dev tun
proto udp
port 1194
server 10.8.0.0 255.255.255.0
push "route 44.44.44.0 255.255.255.0"