diff --git a/src/content/docs/spectrum/reference/configuration-options.mdx b/src/content/docs/spectrum/reference/configuration-options.mdx index ee7aa40d9afc6a0..ed9e9c6c78466af 100644 --- a/src/content/docs/spectrum/reference/configuration-options.mdx +++ b/src/content/docs/spectrum/reference/configuration-options.mdx @@ -2,22 +2,17 @@ pcx_content_type: reference title: Configuration options weight: 0 - --- Spectrum is a global TCP and UDP proxy running on Cloudflare's edge nodes. It does not terminate the connection in the application-layer sense. However, at Layer 4, Spectrum does terminate the TCP and UDP sockets in both directions. The L4 payloads of TCP segments and UDP datagrams are passed back and forth as-is, without modifications. :::note - - Some of these features require an Enterprise plan. If you would like to upgrade, contact your account team. - - ::: ## Application type -The application type determines the protocol by which data travels from the edge to your origin. Select *TCP/UDP* if you want to proxy directly to the origin. If you want to set up products like CDN, Workers, or Bot management, you need to select *HTTP/HTTPS*. In this case, traffic is routed through Cloudflare's pipeline instead of connecting directly to your origin. +The application type determines the protocol by which data travels from the edge to your origin. Select _TCP/UDP_ if you want to proxy directly to the origin. If you want to set up products like CDN, Workers, or Bot management, you need to select _HTTP/HTTPS_. In this case, traffic is routed through Cloudflare's pipeline instead of connecting directly to your origin. ## IP addresses @@ -33,10 +28,10 @@ SMTP servers may perform a series of checks on servers attempting to send messag Messages may be rejected if: -* A reverse DNS lookup on the IP address of the connecting server returns a negative response. -* The reverse DNS lookup produces a different hostname than what was sent in the SMTP `HELO`/`EHLO` message. -* The reverse DNS lookup produces a different hostname than what is advertised in your SMTP server's banner. -* The result of a reverse DNS lookup does not match a corresponding forward DNS lookup. +- A reverse DNS lookup on the IP address of the connecting server returns a negative response. +- The reverse DNS lookup produces a different hostname than what was sent in the SMTP `HELO`/`EHLO` message. +- The reverse DNS lookup produces a different hostname than what is advertised in your SMTP server's banner. +- The result of a reverse DNS lookup does not match a corresponding forward DNS lookup. Spectrum applications do not have reverse DNS entries. @@ -54,12 +49,12 @@ For direct origins: ```json { - "protocol": "tcp/1000-2000", - "dns": { - "type": "CNAME", - "name": "range.example.com" - }, - "origin_direct": ["tcp://192.0.2.1:3000-4000"] + "protocol": "tcp/1000-2000", + "dns": { + "type": "CNAME", + "name": "range.example.com" + }, + "origin_direct": ["tcp://192.0.2.1:3000-4000"] } ``` @@ -67,26 +62,26 @@ For DNS origins: ```json { - "protocol": "tcp/1000-2000", - "dns": { - "type": "CNAME", - "name": "range.example.com" - }, - "origin_dns": { - "name": "origin.example.com", - "ttl": 1200 - }, - "origin_port": "3000-4000" + "protocol": "tcp/1000-2000", + "dns": { + "type": "CNAME", + "name": "range.example.com" + }, + "origin_dns": { + "name": "origin.example.com", + "ttl": 1200 + }, + "origin_port": "3000-4000" } ``` The number of ports in an origin port range must match the number of ports specified in the `protocol` field. Connections to a port within a port range at the edge will be proxied to the equivalent port offset in the origin range. -For example, in the configurations above, a connection to `range.example.com:1005` would be proxied to port 3005 on the origin. +For example, in the configurations above, a connection to `range.example.com:1005` would be proxied to port `3005` on the origin. ## IP Access rules -If IP Access rules are enabled for a Spectrum application, Cloudflare will respect the IP Access rules created under **Security** > **WAF** > **Tools** for that domain. Cloudflare only respects rules created for specific IP addresses, IP blocks, countries, or ASNs for Spectrum applications. Spectrum will also only respect rules created with the actions `allow` or `block`. +If [IP Access rules](/waf/tools/ip-access-rules/create/) are enabled for a Spectrum application, Cloudflare will respect the IP Access rules configured for that domain. Cloudflare only respects rules created for specific IP addresses, IP blocks, countries, or ASNs for Spectrum applications. Spectrum will also only respect rules created with the actions `allow` or `block`. :::note Network analytics data for Spectrum does not reflect the outcomes of IP Access rules. Instead, to verify whether traffic was allowed or blocked based on these rules, consult the Spectrum event logs. @@ -110,7 +105,7 @@ TLS versions supported by Spectrum include TLS 1.1, TLS 1.2, and TLS 1.3. You can manage this through the Spectrum app at the Cloudflare dashboard, or using the [Spectrum API endpoint](/api/resources/spectrum/subresources/apps/methods/update/). -:::note[Note] +:::note If you have the TLS termination setting configured to **off**, this means that Spectrum will then proxy connections to the origin without decrypting. The certificate that is presented in this case will be the certificate installed at your origin server, instead of the Edge Certificate from Cloudflare. @@ -121,34 +116,33 @@ If you have the TLS termination setting configured to **off**, this means that S If you need to control TLS settings, like the minimum TLS version or cipher suites, you need to use an HTTPS application. For TCP applications, default settings will apply. The minimum TLS version will be 1.1 and the cipher suites are: -| OpenSSL Name | -| --------------------------------- | -|AEAD-CHACHA20-POLY1305-SHA256| -|AEAD-AES128-GCM-SHA256| -|AEAD-AES256-GCM-SHA384| -|ECDHE-RSA-CHACHA20-POLY1305| -|ECDHE-ECDSA-CHACHA20-POLY1305| -|ECDHE-RSA-AES128-GCM-SHA256| -|ECDHE-ECDSA-AES128-GCM-SHA256| -|ECDHE-RSA-AES256-GCM-SHA384| -|ECDHE-ECDSA-AES256-GCM-SHA384| -|ECDHE-RSA-AES128-SHA256| -|ECDHE-RSA-AES128-SHA| -|CDHE-ECDSA-AES128-SHA256| -|ECDHE-ECDSA-AES128-SHA| -|ECDHE-RSA-AES256-SHA| -|ECDHE-ECDSA-AES256-SHA| -|AES128-GCM-SHA256| -|AES256-GCM-SHA384| -|AES128-SHA256| -|AES128-SHA| -|AES256-SHA| -|ECDHE-RSA-DES-CBC3-SHA| -|DES-CBC3-SHA| +| OpenSSL Name | +| ----------------------------- | +| AEAD-CHACHA20-POLY1305-SHA256 | +| AEAD-AES128-GCM-SHA256 | +| AEAD-AES256-GCM-SHA384 | +| ECDHE-RSA-CHACHA20-POLY1305 | +| ECDHE-ECDSA-CHACHA20-POLY1305 | +| ECDHE-RSA-AES128-GCM-SHA256 | +| ECDHE-ECDSA-AES128-GCM-SHA256 | +| ECDHE-RSA-AES256-GCM-SHA384 | +| ECDHE-ECDSA-AES256-GCM-SHA384 | +| ECDHE-RSA-AES128-SHA256 | +| ECDHE-RSA-AES128-SHA | +| CDHE-ECDSA-AES128-SHA256 | +| ECDHE-ECDSA-AES128-SHA | +| ECDHE-RSA-AES256-SHA | +| ECDHE-ECDSA-AES256-SHA | +| AES128-GCM-SHA256 | +| AES256-GCM-SHA384 | +| AES128-SHA256 | +| AES128-SHA | +| AES256-SHA | +| ECDHE-RSA-DES-CBC3-SHA | +| DES-CBC3-SHA | ::: - ## Origin TLS Termination Below are the cipher suites Cloudflare presents to origins during an SSL/TLS handshake. For cipher suites supported at our edge or presented to browsers and other user agents, refer to [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/). @@ -159,14 +153,14 @@ The cipher suites below are ordered based on how they appear in the ClientHello, | OpenSSL Name | TLS 1.1 | TLS 1.2 | TLS 1.3 | | --------------------------------- | ------- | ------- | ------- | -| AEAD-AES128-GCM-SHA256[^1] | ❌ | ❌ | ✅ | -| AEAD-AES256-GCM-SHA384[^1] | ❌ | ❌ | ✅ | -| AEAD-CHACHA20-POLY1305-SHA256[^1] | ❌ | ❌ | ✅ | -| ECDHE-ECDSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ | -| ECDHE-RSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ | -| ECDHE-RSA-AES128-SHA | ✅ | ✅ | ❌ | -| AES128-GCM-SHA256 | ❌ | ✅ | ❌ | -| AES128-SHA | ✅ | ✅ | ❌ | -| AES256-SHA | ✅ | ✅ | ❌ | +| AEAD-AES128-GCM-SHA256[^1] | ❌ | ❌ | ✅ | +| AEAD-AES256-GCM-SHA384[^1] | ❌ | ❌ | ✅ | +| AEAD-CHACHA20-POLY1305-SHA256[^1] | ❌ | ❌ | ✅ | +| ECDHE-ECDSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ | +| ECDHE-RSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ | +| ECDHE-RSA-AES128-SHA | ✅ | ✅ | ❌ | +| AES128-GCM-SHA256 | ❌ | ✅ | ❌ | +| AES128-SHA | ✅ | ✅ | ❌ | +| AES256-SHA | ✅ | ✅ | ❌ | [^1]: Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, only specifying the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 ([RFC 8446](https://www.rfc-editor.org/rfc/rfc8446.html)). BoringSSL also hard-codes cipher preferences in this order for TLS 1.3. Refer to [TLS 1.3 cipher suites](/ssl/origin-configuration/cipher-suites/#tls-13-cipher-suites) for details.