Skip to content

[Spectrum] Remove old dashboard location #29717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pedrosousa merged 1 commit into from
Apr 9, 2026
+57 −63
Merged

[Spectrum] Remove old dashboard location #29717

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 57 additions & 63 deletions src/content/docs/spectrum/reference/configuration-options.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,17 @@
pcx_content_type: reference
title: Configuration options
weight: 0

---

Spectrum is a global TCP and UDP proxy running on Cloudflare's edge nodes. It does not terminate the connection in the application-layer sense. However, at Layer 4, Spectrum does terminate the TCP and UDP sockets in both directions. The L4 payloads of TCP segments and UDP datagrams are passed back and forth as-is, without modifications.

:::note


Some of these features require an Enterprise plan. If you would like to upgrade, contact your account team.


:::

## Application type

The application type determines the protocol by which data travels from the edge to your origin. Select *TCP/UDP* if you want to proxy directly to the origin. If you want to set up products like CDN, Workers, or Bot management, you need to select *HTTP/HTTPS*. In this case, traffic is routed through Cloudflare's pipeline instead of connecting directly to your origin.
The application type determines the protocol by which data travels from the edge to your origin. Select _TCP/UDP_ if you want to proxy directly to the origin. If you want to set up products like CDN, Workers, or Bot management, you need to select _HTTP/HTTPS_. In this case, traffic is routed through Cloudflare's pipeline instead of connecting directly to your origin.

## IP addresses

Expand All @@ -33,10 +28,10 @@ SMTP servers may perform a series of checks on servers attempting to send messag

Messages may be rejected if:

* A reverse DNS lookup on the IP address of the connecting server returns a negative response.
* The reverse DNS lookup produces a different hostname than what was sent in the SMTP `HELO`/`EHLO` message.
* The reverse DNS lookup produces a different hostname than what is advertised in your SMTP server's banner.
* The result of a reverse DNS lookup does not match a corresponding forward DNS lookup.
- A reverse DNS lookup on the IP address of the connecting server returns a negative response.
- The reverse DNS lookup produces a different hostname than what was sent in the SMTP `HELO`/`EHLO` message.
- The reverse DNS lookup produces a different hostname than what is advertised in your SMTP server's banner.
- The result of a reverse DNS lookup does not match a corresponding forward DNS lookup.

Spectrum applications do not have reverse DNS entries.

Expand All @@ -54,39 +49,39 @@ For direct origins:

```json
{
"protocol": "tcp/1000-2000",
"dns": {
"type": "CNAME",
"name": "range.example.com"
},
"origin_direct": ["tcp://192.0.2.1:3000-4000"]
"protocol": "tcp/1000-2000",
"dns": {
"type": "CNAME",
"name": "range.example.com"
},
"origin_direct": ["tcp://192.0.2.1:3000-4000"]
}
```

For DNS origins:

```json
{
"protocol": "tcp/1000-2000",
"dns": {
"type": "CNAME",
"name": "range.example.com"
},
"origin_dns": {
"name": "origin.example.com",
"ttl": 1200
},
"origin_port": "3000-4000"
"protocol": "tcp/1000-2000",
"dns": {
"type": "CNAME",
"name": "range.example.com"
},
"origin_dns": {
"name": "origin.example.com",
"ttl": 1200
},
"origin_port": "3000-4000"
}
```

The number of ports in an origin port range must match the number of ports specified in the `protocol` field.
Connections to a port within a port range at the edge will be proxied to the equivalent port offset in the origin range.
For example, in the configurations above, a connection to `range.example.com:1005` would be proxied to port 3005 on the origin.
For example, in the configurations above, a connection to `range.example.com:1005` would be proxied to port `3005` on the origin.

## IP Access rules

If IP Access rules are enabled for a Spectrum application, Cloudflare will respect the IP Access rules created under **Security** > **WAF** > **Tools** for that domain. Cloudflare only respects rules created for specific IP addresses, IP blocks, countries, or ASNs for Spectrum applications. Spectrum will also only respect rules created with the actions `allow` or `block`.
If [IP Access rules](/waf/tools/ip-access-rules/create/) are enabled for a Spectrum application, Cloudflare will respect the IP Access rules configured for that domain. Cloudflare only respects rules created for specific IP addresses, IP blocks, countries, or ASNs for Spectrum applications. Spectrum will also only respect rules created with the actions `allow` or `block`.
Copy link
Copy Markdown
Contributor Author

@pedrosousa pedrosousa Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the actual change.


:::note
Network analytics data for Spectrum does not reflect the outcomes of IP Access rules. Instead, to verify whether traffic was allowed or blocked based on these rules, consult the Spectrum event logs.
Expand All @@ -110,7 +105,7 @@ TLS versions supported by Spectrum include TLS 1.1, TLS 1.2, and TLS 1.3.

You can manage this through the Spectrum app at the Cloudflare dashboard, or using the [Spectrum API endpoint](/api/resources/spectrum/subresources/apps/methods/update/).

:::note[Note]
:::note
Copy link
Copy Markdown
Contributor Author

@pedrosousa pedrosousa Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Note" is the default title.


If you have the TLS termination setting configured to **off**, this means that Spectrum will then proxy connections to the origin without decrypting. The certificate that is presented in this case will be the certificate installed at your origin server, instead of the Edge Certificate from Cloudflare.

Expand All @@ -121,34 +116,33 @@ If you have the TLS termination setting configured to **off**, this means that S
If you need to control TLS settings, like the minimum TLS version or cipher suites, you need to use an HTTPS application.
For TCP applications, default settings will apply. The minimum TLS version will be 1.1 and the cipher suites are:

| OpenSSL Name |
| --------------------------------- |
|AEAD-CHACHA20-POLY1305-SHA256|
|AEAD-AES128-GCM-SHA256|
|AEAD-AES256-GCM-SHA384|
|ECDHE-RSA-CHACHA20-POLY1305|
|ECDHE-ECDSA-CHACHA20-POLY1305|
|ECDHE-RSA-AES128-GCM-SHA256|
|ECDHE-ECDSA-AES128-GCM-SHA256|
|ECDHE-RSA-AES256-GCM-SHA384|
|ECDHE-ECDSA-AES256-GCM-SHA384|
|ECDHE-RSA-AES128-SHA256|
|ECDHE-RSA-AES128-SHA|
|CDHE-ECDSA-AES128-SHA256|
|ECDHE-ECDSA-AES128-SHA|
|ECDHE-RSA-AES256-SHA|
|ECDHE-ECDSA-AES256-SHA|
|AES128-GCM-SHA256|
|AES256-GCM-SHA384|
|AES128-SHA256|
|AES128-SHA|
|AES256-SHA|
|ECDHE-RSA-DES-CBC3-SHA|
|DES-CBC3-SHA|
| OpenSSL Name |
| ----------------------------- |
| AEAD-CHACHA20-POLY1305-SHA256 |
| AEAD-AES128-GCM-SHA256 |
| AEAD-AES256-GCM-SHA384 |
| ECDHE-RSA-CHACHA20-POLY1305 |
| ECDHE-ECDSA-CHACHA20-POLY1305 |
| ECDHE-RSA-AES128-GCM-SHA256 |
| ECDHE-ECDSA-AES128-GCM-SHA256 |
| ECDHE-RSA-AES256-GCM-SHA384 |
| ECDHE-ECDSA-AES256-GCM-SHA384 |
| ECDHE-RSA-AES128-SHA256 |
| ECDHE-RSA-AES128-SHA |
| CDHE-ECDSA-AES128-SHA256 |
| ECDHE-ECDSA-AES128-SHA |
| ECDHE-RSA-AES256-SHA |
| ECDHE-ECDSA-AES256-SHA |
| AES128-GCM-SHA256 |
| AES256-GCM-SHA384 |
| AES128-SHA256 |
| AES128-SHA |
| AES256-SHA |
| ECDHE-RSA-DES-CBC3-SHA |
| DES-CBC3-SHA |

:::


## Origin TLS Termination

Below are the cipher suites Cloudflare presents to origins during an SSL/TLS handshake. For cipher suites supported at our edge or presented to browsers and other user agents, refer to [Cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/).
Expand All @@ -159,14 +153,14 @@ The cipher suites below are ordered based on how they appear in the ClientHello,

| OpenSSL Name | TLS 1.1 | TLS 1.2 | TLS 1.3 |
| --------------------------------- | ------- | ------- | ------- |
| AEAD-AES128-GCM-SHA256[^1] | ❌ | ❌ | ✅ |
| AEAD-AES256-GCM-SHA384[^1] | ❌ | ❌ | ✅ |
| AEAD-CHACHA20-POLY1305-SHA256[^1] | ❌ | ❌ | ✅ |
| ECDHE-ECDSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ |
| ECDHE-RSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ |
| ECDHE-RSA-AES128-SHA | ✅ | ✅ | ❌ |
| AES128-GCM-SHA256 | ❌ | ✅ | ❌ |
| AES128-SHA | ✅ | ✅ | ❌ |
| AES256-SHA | ✅ | ✅ | ❌ |
| AEAD-AES128-GCM-SHA256[^1] | ❌ | ❌ | ✅ |
| AEAD-AES256-GCM-SHA384[^1] | ❌ | ❌ | ✅ |
| AEAD-CHACHA20-POLY1305-SHA256[^1] | ❌ | ❌ | ✅ |
| ECDHE-ECDSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ |
| ECDHE-RSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ |
| ECDHE-RSA-AES128-SHA | ✅ | ✅ | ❌ |
| AES128-GCM-SHA256 | ❌ | ✅ | ❌ |
| AES128-SHA | ✅ | ✅ | ❌ |
| AES256-SHA | ✅ | ✅ | ❌ |

[^1]: Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, only specifying the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 ([RFC 8446](https://www.rfc-editor.org/rfc/rfc8446.html)). BoringSSL also hard-codes cipher preferences in this order for TLS 1.3. Refer to [TLS 1.3 cipher suites](/ssl/origin-configuration/cipher-suites/#tls-13-cipher-suites) for details.
Loading