--- title: Cloudflare Spectrum description: Spectrum allows you to route MQTT, email, file transfer, version control, games, and more over TCP or UDP through Cloudflare to mask the origin and protect it from DDoS attacks. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Spectrum Spectrum provides security and acceleration for any [TCP ↗](https://www.cloudflare.com/learning/ddos/glossary/tcp-ip/) or [UDP ↗](https://www.cloudflare.com/learning/ddos/glossary/user-datagram-protocol-udp/) based application. Available on Paid plans Spectrum allows you to route MQTT, email, file transfer, version control, games, and more over TCP or UDP through Cloudflare to mask the origin and protect it from [DDoS attacks ↗](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/). --- ## Features ### Enable Proxy protocol Use a proxy protocol for Cloudflare to pass on the client IP to your service. [ Use Enable Proxy protocol ](https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/) ### DDoS Protection for Spectrum Learn more about what L3/4 DDoS Protection is included as part of the Spectrum service. [ Use DDoS Protection for Spectrum ](https://developers.cloudflare.com/spectrum/about/ddos-for-spectrum/) --- ## Related products **[DDoS Protection](https://developers.cloudflare.com/ddos-protection/)** Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised. **[BYOIP](https://developers.cloudflare.com/byoip/)** Get Cloudflare's security and performance while using your own IPs. With Bring Your Own IP (BYOIP), Cloudflare announces your IPs in all our locations. **[Load Balancing](https://developers.cloudflare.com/load-balancing/)** Cloudflare Load Balancing distributes traffic across your endpoints, which reduces endpoint strain and latency and improves the experience for end users. **[DNS](https://developers.cloudflare.com/dns/)** Cloudflare's global DNS platform provides speed and resilience. DNS customers also benefit from free DNSSEC, and protection against route leaks and hijacking. --- ## More resources [Plans](https://www.cloudflare.com/plans/) Compare available Cloudflare plans. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}}]} ``` --- --- title: Protocols per plan description: On this table, you have information about which protocols are available per plan. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/protocols-per-plan.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protocols per plan On this table, you have information about which protocols are available per plan. | Free | Pro | Business | Enterprise | | | --------------------------- | --- | ----------- | ----------- | ----------- | | Availability | No | Paid add-on | Paid add-on | Yes | | TCP | No | No | No | Paid add-on | | UDP | No | No | No | Paid add-on | | HTTP | No | No | No | Paid add-on | | HTTPS | No | No | No | Paid add-on | | Minecraft (one app allowed) | No | Yes | Yes | Yes | | SSH (one app allowed) | No | Yes | Yes | Yes | | RDP (one app allowed) | No | No | Yes | Yes | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/protocols-per-plan/","name":"Protocols per plan"}}]} ``` --- --- title: Get started description: Spectrum is available on all paid plans. Pro and Business support selected protocols only, whereas Enterprise supports all TCP and UDP based traffic. Refer to Configuration options for more configuration details. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/get-started.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started Spectrum is available on all paid plans. Pro and Business support selected protocols only, whereas Enterprise supports all TCP and UDP based traffic. Refer to [Configuration options](https://developers.cloudflare.com/spectrum/reference/configuration-options/) for more configuration details. To create a Spectrum application, you can either use an IP address, a CNAME Record or a load balancer. Independently of the method you use, you can create the application through the dashboard or via [API](https://developers.cloudflare.com/api/resources/spectrum/subresources/apps/methods/list/). Certain fields in Spectrum request and response bodies require an Enterprise plan. Refer to the [Settings by plan](https://developers.cloudflare.com/spectrum/reference/settings-by-plan/) page for more details. ## Create a Spectrum application using an IP address To create a Spectrum application using an IP address, Cloudflare normally assigns you an arbitrary IP from Cloudflare’s IP pool to your application. If you want to use your own IP addresses, you can use [BYOIP](https://developers.cloudflare.com/spectrum/about/byoip/) or you can also use a [Static IP](https://developers.cloudflare.com/spectrum/about/static-ip/). In these two last cases, you need to create your Spectrum application through the API, as these features are not available via dash. When using the API, the field `origin_direct` takes as input the IP address. Add your application via Dashboard 1. In the Cloudflare dashboard, go to the **Spectrum** page. [ Go to **Spectrum** ](https://dash.cloudflare.com/?to=/:account/:zone/spectrum) 2. Select **Create an Application**. If this is your first time using Spectrum, the **Create an Application** modal appears. 3. Select your **Application Type**. 4. Under **Domain**, enter the domain that will use Spectrum. 5. Under **Edge Port**, enter the port Cloudflare should use for your application. 6. Under **Origin**, enter your application's origin IP and port. 7. If your application requires the client IP and supports [Proxy Protocol ↗](https://www.haproxy.com/blog/haproxy/proxy-protocol/), enable **Proxy Protocols**. Proxy Protocol is a method for a proxy like Cloudflare to send the client IP to the origin application. 8. Select **Add**. Add your application via API Below is a curl example and the associated data being posted to the API. **API example:** Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Create Spectrum application using a name for the origin ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "protocol": "tcp/22", "dns": { "type": "CNAME", "name": "ssh.example.com" }, "origin_direct": [ "tcp://192.0.2.1:22" ], "proxy_protocol": "off", "ip_firewall": true, "tls": "full", "edge_ips": { "type": "dynamic", "connectivity": "all" }, "traffic_type": "direct", "argo_smart_routing": true }' ``` **Example data:** ``` { "success": true, "errors": [], "messages": [], "result": { "id": "ea95132c15732412d22c1476fa83f27a", "protocol": "tcp/22", "dns": { "type": "CNAME", "name": "ssh.example.com" }, "origin_direct": ["tcp://192.0.2.1:22"], "proxy_protocol": "off", "ip_firewall": true, "tls": "full", "edge_ips": { "type": "dynamic", "connectivity": "all" }, "traffic_type": "direct", "argo_smart_routing": true, "created_on": "2014-01-02T02:20:00Z", "modified_on": "2014-01-02T02:20:00Z" } } ``` ## Create a Spectrum application using a CNAME record To create a Spectrum application using a CNAME record, you will need to create a [CNAME record ↗](https://www.cloudflare.com/learning/dns/dns-records/dns-cname-record/) on your Cloudflare hosted zone that points to your origin's hostname. This is required to resolve to your hostname origin. Refer to [Create DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/#create-dns-records), for more information. When using a CNAME as an origin, note that Cloudflare needs to be authoritative for that zone. When using the API, the `origin_dns` field takes as input the CNAME record. Add your application via Dashboard 1. In the Cloudflare dashboard, go to the **Spectrum** page. [ Go to **Spectrum** ](https://dash.cloudflare.com/?to=/:account/:zone/spectrum) 2. Select **Create an Application**. If this is your first time using Spectrum, the **Create an Application** modal appears. 3. Select your **Application Type**. 4. Under **Domain**, enter the domain that will use Spectrum. 5. Under **Edge Port**, enter the port Cloudflare should use for your application. 6. Under **Origin**, enter your `CNAME` record name. 7. Select **Add**. Add your application via API Below is a curl example and the associated data being posted to the API. **API example:** Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Create Spectrum application using a name for the origin ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22 }' ``` **Example data:** ``` { "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22 } ``` ## Create a Spectrum application using a load balancer To create a Spectrum application using a load balancer, you will need to generate a load balancer from the dashboard or via the API. Refer to the [Load Balancing documentation](https://developers.cloudflare.com/load-balancing/additional-options/spectrum/#1-configure-your-load-balancer) for more details. Note To prevent issues with DNS resolution for a Spectrum application, do not use the same Spectrum hostname as a current Load Balancing hostname. Add your application via Dashboard 1. In the Cloudflare dashboard, go to the **Spectrum** page. [ Go to **Spectrum** ](https://dash.cloudflare.com/?to=/:account/:zone/spectrum) 2. Select **Create an Application**. If this is your first time using Spectrum, the **Create an Application** modal appears. 3. Select your **[Application Type](https://developers.cloudflare.com/spectrum/reference/configuration-options/#application-type)**. 4. Under **Domain**, enter the domain that will use Spectrum. 5. Under **Edge Port**, enter the port Cloudflare should use for your application. 6. Under **Origin**, select **Load Balancer**. 7. Select the load balancer you want to use from the dropdown. Disabled load balancers will not show on the **Load Balancer** menu. 8. Select **Add**. Add your application via API Below is a curl example and the associated data being posted to the API. **API example:** Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Create Spectrum application using a name for the origin ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22 }' ``` **Example data:** ``` { "dns": { "type": "CNAME", "name": "spectrum-cname.example.com" }, "ip_firewall": false, "protocol": "tcp/22", "proxy_protocol": "off", "tls": "off", "origin_dns": { "name": "cname-to-origin.example.com", "ttl": 1200 }, "origin_port": 22 } ``` ## View traffic You can now proxy traffic through Cloudflare without additional configuration. As you run traffic through Cloudflare, you will see the last minute of traffic from **Spectrum** in the dashboard. If you have any feedback, please [let us know ↗](https://community.cloudflare.com/c/website-application-performance/spectrum/48). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/get-started/","name":"Get started"}}]} ``` --- --- title: Glossary description: Review the definitions for terms used across Cloudflare's Spectrum documentation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/glossary.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Glossary Review the definitions for terms used across Cloudflare's Spectrum documentation. | Term | Definition | | -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ACK (Acknowledge) | The final step in the TCP three-way handshake, confirming the establishment of a connection. | | FTP (File Transfer Protocol) | A standard network protocol used for transferring files from one host to another over a TCP-based network. | | FTPS (File Transfer Protocol Secure) | An extension of FTP that adds support for the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) cryptographic protocols. | | layer 3 | The network layer in the OSI model, responsible for logical addressing, routing, and forwarding of data between devices on different networks. | | layer 4 | The transport layer in the OSI model, managing end-to-end communication, error-checking, and flow control. | | MQTT (Message Queuing Telemetry Transport) | A lightweight, publish-subscribe messaging protocol often used for communication in the Internet of Things (IoT) and other resource-constrained scenarios. | | OSI model (Open Systems Interconnection model) | A conceptual framework that standardizes the functions of a telecommunication or computing system into seven abstraction layers. | | proxy protocol | A protocol used by network proxies to convey client connection information to the destination server, facilitating proper handling of client requests. | | reverse proxy | A server that handles requests on behalf of clients, forwarding them to backend servers and managing tasks like load balancing and security. | | SFTP (Secure File Transfer Protocol) | A secure file transfer protocol that uses the Secure Socket Shell (SSH) protocol for encryption and authentication. | | SMTP Server (Simple Mail Transfer Protocol Server) | A server responsible for sending, receiving, and relaying email messages over a network, following the SMTP protocol. | | SYN (Synchronize) | The initial step in establishing a TCP connection, where a device requests a connection with another by sending a SYN packet. | | SYN-ACK (Synchronize-Acknowledge) | The second step in the TCP three-way handshake, where the server responds to a SYN request with a SYN-ACK packet. | | TCP (Transmission Control Protocol) | A connection-oriented protocol in the transport layer of the Internet Protocol Suite, providing reliable and ordered delivery of data between devices. | | UDP (User Datagram Protocol) | UDP (User Datagram Protocol) is a connectionless transport layer protocol that provides fast and lightweight data transmission between devices on a network, prioritizing speed over reliability. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/glossary/","name":"Glossary"}}]} ``` --- --- title: BYOIP description: When creating a Spectrum application, Cloudflare normally assigns an arbitrary IP from Cloudflare’s IP pool to your application. If you want to be explicit in your network setup or use your own IP addresses, BYOIP with Spectrum allows you to do just that. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/about/byoip.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # BYOIP When creating a Spectrum application, Cloudflare normally assigns an arbitrary IP from Cloudflare’s IP pool to your application. If you want to be explicit in your network setup or use your own IP addresses, BYOIP with Spectrum allows you to do just that. BYOIP stands for [Bring Your Own IP](https://developers.cloudflare.com/byoip/). If you own an IP prefix you can migrate it to Cloudflare. After migration, Cloudflare broadcasts your IP prefix and traffic is routed to the global Cloudflare network. However, without configuration, Cloudflare will not know how to handle this traffic. The last step is to add Spectrum applications for all applications that you wish to protect with the IP addresses you want associated with them. Warning When switching from non-BYOIP to BYOIP, if you are already using a Spectrum application, you need to delete your configurations and recreate new ones. The smallest prefixes that Cloudflare currently supports is /24 for IPv4 and /48 for IPv6. BYOIP does not come standard with Spectrum. To enable it, contact your account team. UDP applications Spectrum UDP applications are [not supported](https://developers.cloudflare.com/spectrum/reference/limitations/#udp) when using Spectrum with BYOIP. ## Assign an IP address To use an IP, it must be assigned to a Spectrum app to create the appropriate A (IPv4) or AAAA (IPv6) records. This is done by specifying one or more IP addresses when creating an application through the API. Any change to the application's properties also needs to be done via API. In addition, you must update the DNS `"type"` field to `"ADDRESS"` to create a Spectrum app using BYOIP. ``` { "id": "4590376cf2994d72cee36828ec4eff19", "protocol": "tcp/22", "dns": { "type": "ADDRESS", "name": "ssh.example.com" }, "origin_direct": ["tcp://192.0.2.1:22"], "ip_firewall": true, "proxy_protocol": false, "spp": false, "tls": "off", "traffic_type": "direct", "edge_ips": { "type": "static", "ips": ["198.51.100.10", "2001:DB8::1"] } } ``` ## Example In the example below, the application routes traffic through Cloudflare’s HTTP pipeline, including WAF, Workers and CDN functionality. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Create Spectrum application using a name for the origin ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "protocol": "tcp/80", "dns": { "type": "ADDRESS", "name": "www.example.com" }, "origin_direct": [ "tcp://192.0.2.1:80" ], "tls": "off", "traffic_type": "http", "edge_ips": { "type": "static", "ips": [ "198.51.100.10", "2001:DB8::1" ] } }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/about/byoip/","name":"BYOIP"}}]} ``` --- --- title: DDoS Protection for Spectrum description: Spectrum provides DDoS Protection at layers 3-4 of the OSI model, that is against TCP and UDP based DDoS attacks. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/about/ddos-for-spectrum.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # DDoS Protection for Spectrum Spectrum provides DDoS Protection at layers 3-4 of the [OSI model ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/), that is against TCP and UDP based DDoS attacks. Spectrum works as a layer 4 reverse proxy, therefore a proper TCP connection must be first established before traffic is proxied to the origin. This moves any impact of SYN or SYN-ACK reflection attacks to the Cloudflare global network. Additionally, by using Spectrum in front of your application, your origin IP is concealed — preventing attackers from targeting your origin server directly. It is also recommended that you replace your origin IP address after moving to Cloudflare, and lock it down to only accept traffic from [Cloudflare’s IP address range ↗](https://www.cloudflare.com/ips/). Random or out-of-state TCP packets should not be passed to the origin if a legitimate TCP connection has not yet been established between the client and Cloudflare. Spectrum also [leverages SYN cookie challenges as part of the Linux networking stack ↗](https://blog.cloudflare.com/syn-packet-handling-in-the-wild/) to defend against floods. Furthermore, if a flood of packets of an unspecified protocol target your application (for example, your Spectrum application is for TCP traffic, and a UDP flood targets your Spectrum application), the packets will be dropped. Similarly, if packets target a port or port range that you did not specify, they will also be dropped. L3/4 DDoS attacks should be detected and mitigated by the [Network-layer DDoS Attack Protection managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/) that is enabled by default. This ruleset detects and mitigates DDoS attacks by dynamically fingerprinting attacks based on packet header fields. For protecting HTTP/S applications against L7 DDoS attacks and to benefit from caching and additional features, onboard your application to Cloudflare’s Web Application Firewall/Content Delivery Network service, which works in tandem with Cloudflare Spectrum. Refer to [Cloudflare DDoS Protection](https://developers.cloudflare.com/ddos-protection/) to learn more. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/about/ddos-for-spectrum/","name":"DDoS Protection for Spectrum"}}]} ``` --- --- title: FTP description: Enabling Spectrum for FTP is not straightforward due to the implementation of the protocol. This guide gives an overview of the intricacies of FTP and under which circumstances you can enable Spectrum for your FTP service. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/about/ftp.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # FTP Enabling Spectrum for FTP is not straightforward due to the implementation of the protocol. This guide gives an overview of the intricacies of FTP and under which circumstances you can enable Spectrum for your FTP service. Note This feature requires an Enterprise plan. If you would like to upgrade, contact your account team. ## How FTP Operates FTP leverages two different sockets, one for issuing commands and the other for actual data transfer. The control socket takes care of users logging in and sending commands, and the data socket is where directory listings and files actually get transferred. There are two ways in which client and server can establish a data socket: active and passive. In active mode, the server connects _back_ to the client on a port that they have specified, which can create issues where clients are behind an NAT. The alternative is passive mode, where the server opens an extra port that the client then connects to. For an overview of active versus passive FTP, refer to [Active FTP vs. Passive FTP, a Definitive Explanation ↗](http://slacksite.com/other/ftp.html). In passive mode, the FTP server communicates a port that the client should connect to, which is done on the control socket via a PASV command. By default, the FTP server responds with the IP address that it is listening on. This scenario is fine for servers running directly on a public-facing IP but creates issues when a server is behind an NAT, firewall, or Cloudflare Spectrum. Alternatively, more modern FTP server software supports [FTP extensions ↗](https://tools.ietf.org/html/rfc2428), which introduces the EPSV command that omits the IP address that the client should connect on. Instead, the client connects to the same IP that it connected to for the control pane. ## What Does and Does Not Work Spectrum is able to protect servers serving FTP traffic in _passive mode only_. Active mode is not supported due to the fact that the origin server sees the Spectrum IP as being the client instead of the actual client IP. When the client issues a PORT command with their own IP, the FTP server rejects because the two addresses do not match. Passive mode in combination with EPSV works out of the box with no origin-side configuration required. Note that the client must also support EPSV for this to work. Traditional passive mode with PASV is possible with minimal origin-side configuration (see below, Protecting an FTP server with Spectrum) ## Protect an FTP Server with Spectrum Configuring Spectrum to protect your FTP server requires creating a set of Spectrum applications that point to your origin and some configuration on the FTP server. ### Protect the Control Port The control plane runs on port 21 by default, and there is nothing special that needs to be to protect this part of the FTP server. In the example below, replace 198.51.100.1 with the IP of the origin server. ![Add an application dialog with IP address and port set to 21](https://developers.cloudflare.com/_astro/ftp-control-plane-app.CCDNXmIO_Z1qUJ8V.webp) This configuration proxies incoming connections to the origin. However, if clients issue a PASV command, they will still receive the IP of the actual origin for the data connection. This is not preferred, as this exposes the origin's IP to the client instead of being masked behind Spectrum. Steps to prevent this are documented in sections below. ### Protect Data Ports Most FTP servers allow configuration of the port range that the server will use to open data connections. It is recommended to specify a port range to prevent accidentally exposing other ports on the server. For each port in the range, create a corresponding Spectrum application that maps to that port. Additionally, the FTP server needs to be configured to expose the correct IP when the client issues a PASV command. This IP should match the IP of the Spectrum app. Some FTP servers also allow dynamic resolving of hostnames. In this case, it is recommended to use the Spectrum app URL instead of the IP. Example configuration for [vsftpd ↗](https://security.appspot.com/vsftpd.html): > Terminal window > > ``` > > pasv_min_port=20000 > > pasv_max_port=20020 > > > pasv_enable=YES > > pasv_address=ftp.example.com > > pasv_addr_resolve=YES > > pasv_promiscuous=YES > > > ``` ### Spectrum FTPS (ProFTPD) instructions To use Spectrum TCP to proxy and protect FTPS, specifically ProFTPD, the following example configuration is recommended: * **Control Port**: Port 21 * **Data Ports**: Port ranges 50000-50500 On the ProFTPD server side use the following example configuration: * `MasqueradeAddress`: `www.example.com` * `AllowForeignAddress`: You can use the option `on` to allow all IPs, but it is recommended to only allow [Cloudflare IP](https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/#allow-cloudflare-ip-addresses). * `PassivePorts`: `50000-50500` For more details, refer to the [ProFTPD documentation ↗](http://www.proftpd.org/docs/modules/mod%5Fcore.html). ## SFTP Unlike FTP or FTPS, enabling Spectrum for SFTP does not require extra configuration. When setting up a Spectrum application for SSH, select port 22 and TCP. ## Microsoft Windows IIS FTP Refer to the [Microsoft Windows IIS documentation ↗](https://docs.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7#step-1-configure-the-passive-port-range-for-the-ftp-service) to configure a static data port range and external IP matching your Spectrum application. Additionally, IIS requires that the source IP for both, FTP control and data connections are the same. However, when using Spectrum, this requirement may not be met, as both connections often terminate on different servers with their own unique egress IPs. To ensure proper functionality, also set `dataChannelSecurity/matchClientAddressForPasv = false`. Refer to [Microsoft Windows IIS FTP Official Guide ↗](https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/ftpserver/security/datachannelsecurity) for further details. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/about/ftp/","name":"FTP"}}]} ``` --- --- title: Cloudflare Load Balancing description: You can configure Spectrum with Cloudflare Load Balancing to provide TCP healthchecks, failover, and traffic steering, bringing resiliency to your Spectrum applications. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/about/load-balancer.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Load Balancing You can configure Spectrum with Cloudflare [Load Balancing](https://developers.cloudflare.com/load-balancing/) to provide TCP healthchecks, failover, and traffic steering, bringing resiliency to your Spectrum applications. For an overview of how Cloudflare Load Balancing works refer to [Load Balancing components](https://developers.cloudflare.com/load-balancing/understand-basics/load-balancing-components/). For setup guidance refer to [Add load balancing to Spectrum applications](https://developers.cloudflare.com/load-balancing/additional-options/spectrum/). ## TCP health checks You can configure a Cloudflare load balancer to probe any TCP port for an accepted connection, which is in addition to HTTP and HTTPS probing capabilities. Health checks are optional within a load balancer. However, without a health check, the load balancer will distribute traffic to all endpoints in the first pool. With the health checks enabled, hosts that have gone into an error state will not receive traffic, maintaining uptime. This allows you to enable intelligent failover within a pool of hosts or amongst multiple pools. The example below shows a TCP health check configuration for an application running on port 2408 with a refresh rate every 30 seconds. You can configure TCP health checks through the dashboard or through Cloudflare's API. TCP health check - Dashboard example | Field | Value | | ----- | ----- | | Type | TCP | | Port | 2408 | Under **Advanced health check settings**: | Field | Value | | -------- | --------- | | Interval | 30 | | Timeout | 5 seconds | | Retries | 2 | TCP health check - API example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Load Balancing: Monitors and Pools Write` Create Monitor ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/load_balancers/monitors" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "description": "Spectrum Health Check", "type": "tcp", "port": 2048, "interval": 30, "retries": 2, "timeout": 5, "method": "connection_established" }' ``` ``` { "result": { "description": "TCP Monitor for Spectrum", "created_on": "2025-07-17T14:55:04.830009Z", "modified_on": "2025-07-17T14:55:04.830009Z", "id": "1d404721c660a8a7aaa28d68ed6d48d9", "type": "tcp", "port": 2048, "interval": 60, "retries": 2, "timeout": 5, "expected_body": "", "expected_codes": "", "follow_redirects": false, "allow_insecure": false, "probe_zone": "", "path": "", "method": "connection_established" }, "success": true, "errors": [], "messages": [] } ``` ## Traffic steering All traffic steering policies are available for transport load balancing through Spectrum. Refer to the Load Balancing documentation to learn more about the available [global traffic steering](https://developers.cloudflare.com/load-balancing/understand-basics/traffic-steering/steering-policies/) and [endpoint steering](https://developers.cloudflare.com/load-balancing/understand-basics/traffic-steering/origin-level-steering/) options. ## Weights [Endpoint weights](https://developers.cloudflare.com/load-balancing/understand-basics/traffic-steering/origin-level-steering/#weights) allow you to have endpoints with different capacity or to split traffic amongst hosts for any other reason. Weight configured within a load balancer pool will be honored with load balancing through Spectrum. ## Requirements and limitations * Load Balancing [session affinity](https://developers.cloudflare.com/load-balancing/understand-basics/session-affinity/), [failover across pools](https://developers.cloudflare.com/load-balancing/understand-basics/adaptive-routing/#failover-across-pools), and [custom rules](https://developers.cloudflare.com/load-balancing/additional-options/load-balancing-rules/) are not supported by Spectrum. * UDP health checks are only available with public monitoring. TCP can be used with both public and private monitoring. * This feature requires an Enterprise plan. If you would like to upgrade, contact your account team. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/about/load-balancer/","name":"Cloudflare Load Balancing"}}]} ``` --- --- title: Static IP description: When you create a Spectrum application, you are assigned an IP. These IPs are normally dynamic, meaning that they will change over time. But, for instance, if you want to set up WAF custom rules for specific IPs, you may want to use static IPs. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/about/static-ip.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Static IP When you create a Spectrum application, you are assigned an IP. These IPs are normally dynamic, meaning that they will change over time. But, for instance, if you want to set up WAF custom rules for specific IPs, you may want to use static IPs. A static IP, like a physical street address can tell other computers or servers on the Internet where a specific computer is located or connected. This makes the device easier to find on the network, since the IP will not change. With static IPs, Cloudflare commits to never changing the IP address of a client's domain resolved at the Cloudflare global network. For example, `www.example.com` will always resolve and accept traffic sent to `198.51.100.10`. No other customer will be hosted on that IP. Importantly, the static IP is associated with the DNS name, not with each individual Spectrum application. This means that all Spectrum apps using the same hostname will share the same static IP. ## Use static IPs with Spectrum Availability Static IP is an Enterprise feature that does not come standard with Spectrum. Contact your account team to request access. Once you get your static IP from Cloudflare, you can use it via API, just like [BYOIP](https://developers.cloudflare.com/byoip/). For the moment, there is still no UI available for this feature. When creating a Spectrum application through the API, specify the static IPs that you have been provided. See, for instance, the API example below that creates an application routing traffic through Cloudflare’s HTTP pipeline. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Create Spectrum application using a name for the origin ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/apps" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "protocol": "tcp/80", "dns": { "type": "ADDRESS", "name": "www.example.com" }, "origin_direct": [ "tcp://192.0.2.1:80" ], "tls": "off", "traffic_type": "http", "edge_ips": { "type": "static", "ips": [ "198.51.100.10", "2001:DB8::1" ] } }' ``` ## Check your static IPs You can find your leased static IPs for Spectrum on the dashboard under [**Address space** \> **Leased IPs** ↗](https://dash.cloudflare.com/?to=/:account/ip-addresses/address-space). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/about/","name":"About"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/about/static-ip/","name":"Static IP"}}]} ``` --- --- title: Enable Proxy protocol description: Because Cloudflare intercepts packets before forwarding them to your server, if you were to look up the client IP, you would see Cloudflare's IP rather than the true client IP. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/how-to/enable-proxy-protocol.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable Proxy protocol Because Cloudflare intercepts packets before forwarding them to your server, if you were to look up the client IP, you would see Cloudflare's IP rather than the true client IP. Some services you run may require knowledge of the true client IP. In those cases, you can use a proxy protocol for Cloudflare to pass on the client IP to your service. Sending proxy information along is dependent on whether TCP or UDP is used. For TCP, Spectrum supports adding [Proxy Protocol v1 ↗](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt), which is the human readable version supported by Amazon ELB and [NGINX ↗](https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/). For UDP applications, Cloudflare has developed a custom proxy protocol called Simple Proxy Protocol. Be aware that Proxy Protocol is not supported for Spectrum egresses to Cloudflare WAN (formerly Magic WAN). Note This feature requires an Enterprise plan. If you would like to upgrade, contact your account team. ## Enable Proxy Protocol v1 for TCP 1. In the Cloudflare dashboard, go to the **Spectrum** page. [ Go to **Spectrum** ](https://dash.cloudflare.com/?to=/:account/:zone/spectrum) 2. Locate the application that will use the PROXY protocol and select **Configure**. 3. From the dropdown, select **PROXY Protocol v1**. When TCP applications are configured to use **PROXY Protocol v1**, Cloudflare will prepend each inbound TCP connection with the PROXY Protocol plain-text header. ### The Proxy Protocol v1 Header PROXY Protocol prepends every connection with a header reporting the client IP address and port. A PROXY Protocol plain-text header has the format: ``` PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n" ``` An example PROXY Protocol line for an IPv4 address would look like: ``` PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n ``` An example PROXY Protocol line for an IPv6 address would look like: ``` PROXY TCP6 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 42300 443\r\n ``` ## Enable Proxy Protocol v2 for TCP/UDP 1. In the Cloudflare dashboard, go to the **Spectrum** page. [ Go to **Spectrum** ](https://dash.cloudflare.com/?to=/:account/:zone/spectrum) 2. Locate the application that will use the PROXY protocol and select **Configure**. 3. From the dropdown, select **PROXY Protocol v2**. When TCP applications are configured to use **PROXY Protocol v2**, Cloudflare will prepend each inbound TCP connection with the PROXY Protocol binary header. When UDP applications are configured to use **PROXY Protocol v2**, Cloudflare will prepend the first UDP datagram on a stream with a PROXY Protocol binary header. ### The Proxy Protocol v2 Header PROXY Protocol prepends every connection with a header reporting the client IP address and port. A PROXY Protocol binary header for a IPv4 incoming address has the format: ``` 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | Proxy Protocol v2 Signature | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version|Command| AF | Proto.| Address Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ``` A PROXY Protocol binary header for a IPv6 incoming address has the format: ``` 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | Proxy Protocol v2 Signature | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version|Command| AF | Proto.| Address Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + IPv6 Source Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + IPv6 Destination Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ``` ## Enable Simple Proxy Protocol for UDP When using Spectrum for UDP, the client source IP and port information can be obtained by using Simple Proxy Protocol, a lightweight protocol developed specifically for UDP. To enable it, select **Configure** on a Spectrum application and toggle the setting for Simple Proxy Protocol to **On**. Simple Proxy Protocol dictates that your origin must also prepend packets meant for the client with the same header, including original client source information. This is done to validate that packets coming in are in fact intended for the client. For more information about Simple Proxy Protocol headers, refer to [Simple Proxy Protocol headers](https://developers.cloudflare.com/spectrum/reference/simple-proxy-protocol-header/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/how-to/","name":"How to"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/how-to/enable-proxy-protocol/","name":"Enable Proxy protocol"}}]} ``` --- --- title: Analytics description: Cloudflare measures the following metrics for every connection. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Analytics Cloudflare measures the following metrics for every connection. | Metric | Name | Example | Unit | | -------------- | ----------------------------------- | ------- | -------------------- | | count | Count of total events | 1000 | Count | | bytesIngress | Sum of ingress bytes | 1000 | Sum | | bytesEgress | Sum of egress bytes | 1000 | Sum | | durationAvg | Average connection duration | 1.0 | Time in milliseconds | | durationMedian | Median connection duration | 1.0 | Time in milliseconds | | duration90th | 90th percentile connection duration | 1.0 | Time in milliseconds | | duration99th | 99th percentile connection duration | 1.0 | Time in milliseconds | ## Additional dimensions You can divide your analytics further by the following dimensions. | Dimension | Name | Example | | --------- | ----------------------------- | ---------------------------------------------------------- | | event | Connection Event | connect, progress, disconnect, originError, clientFiltered | | appID | Application ID | 40d67c87c6cd4b889a4fd57805225e85 | | coloName | Colo Name | SFO | | ipVersion | IP version used by the client | 4, 6 | ## Operators for filtering Use the operators below to filter data. | Operator | Name | URL Encoded | | -------- | ------------------------ | ----------- | | \== | Equals | %3D%3D | | != | Does not equal | !%3D | | \> | Greater Than | %3E | | < | Less Than | %3C | | \>= | Greater than or equal to | %3E%3D | | <= | Less than or equal to | %3C%3D | Combine filters using `OR` and `AND` boolean logic: * `AND` takes precedence over `OR` in all expressions. * The `OR` operator is defined using a comma `,` or the `OR` keyword surrounded by whitespace. * The `AND` operator is defined using a semicolon `;` or the `AND` keyword surrounded by whitespace. Note Note that the semicolon is a reserved character in URLs ([RFC 1738 ↗](https://www.rfc-editor.org/rfc/rfc1738)) and should be percent-encoded as `%3B`. ## Analytics request structure ``` /api/v4/zones/{zone_id}/spectrum/analytics/events/summary?metrics=METRICS&dimensions=DIMENSIONS&filters=FILTERS&since=FROM_TS&sort=SORT&until=TO_TS&limit=LIMIT /api/v4/zones/{zone_id}/spectrum/analytics/events/bytime?metrics=METRICS&dimensions=DIMENSIONS&filters=FILTERS&since=FROM_TS&sort=SORT&until=TO_TS&limit=LIMIT ``` * METRICS is one or more metrics (such as count) to compute * DIMENSIONS can be used to break down the data by given attributes * FILTERS used to filter rows by one or more dimensions (see Filters section below) * SORT is the sort order for the result set; sort fields must be included in METRICS or DIMENSIONS * TO\_TS is that end of time interval to query, defaults to current time * FROM\_TS is that start of time interval to query, defaults to TO\_TS - 6 hours * STEP is used to select time series resolution when using endpoint: * auto or omitted - selects time step most appropriate to time interval * year * quarter * month * week * day * hour ## Analytics query example Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Analytics Read` Get analytics summary ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/spectrum/analytics/events/summary" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Refer to the [Spectrum API documentation](https://developers.cloudflare.com/api/resources/spectrum/subresources/analytics/subresources/aggregates/subresources/currents/methods/get/) for more examples of API requests. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/analytics/","name":"Analytics"}}]} ``` --- --- title: Configuration options description: Spectrum is a global TCP and UDP proxy running on Cloudflare's edge nodes. It does not terminate the connection in the application-layer sense. However, at Layer 4, Spectrum does terminate the TCP and UDP sockets in both directions. The L4 payloads of TCP segments and UDP datagrams are passed back and forth as-is, without modifications. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/configuration-options.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configuration options Spectrum is a global TCP and UDP proxy running on Cloudflare's edge nodes. It does not terminate the connection in the application-layer sense. However, at Layer 4, Spectrum does terminate the TCP and UDP sockets in both directions. The L4 payloads of TCP segments and UDP datagrams are passed back and forth as-is, without modifications. Note Some of these features require an Enterprise plan. If you would like to upgrade, contact your account team. ## Application type The application type determines the protocol by which data travels from the edge to your origin. Select _TCP/UDP_ if you want to proxy directly to the origin. If you want to set up products like CDN, Workers, or Bot management, you need to select _HTTP/HTTPS_. In this case, traffic is routed through Cloudflare's pipeline instead of connecting directly to your origin. ## IP addresses When a Spectrum application is created, it is assigned a unique IPv4 and IPv6 address, or you can provision the application to be IPv6 only. The addresses are not static, and they may change over time. The best way to look up the current addresses is by using DNS. The DNS name of the Spectrum application will always return the IPs currently dedicated to the application. The addresses are anycasted from all Cloudflare data centers, with the exception of data centers in China. ## SMTP Spectrum can act as a TCP load balancer in front of an SMTP server but will not act as an intermediary mail server. Instead, Spectrum passes data through to your origin. The client IP shown on mail will be the Cloudflare edge IP. If the mail server requires knowing the true client IP, it should use Proxy Protocol to get the source IP from Cloudflare. Cloudflare recommends enabling Proxy Protocol on applications configured to proxy SMTP. SMTP servers may perform a series of checks on servers attempting to send messages through it. These checks are intended to filter requests from illegitimate servers. Messages may be rejected if: * A reverse DNS lookup on the IP address of the connecting server returns a negative response. * The reverse DNS lookup produces a different hostname than what was sent in the SMTP `HELO`/`EHLO` message. * The reverse DNS lookup produces a different hostname than what is advertised in your SMTP server's banner. * The result of a reverse DNS lookup does not match a corresponding forward DNS lookup. Spectrum applications do not have reverse DNS entries. Additionally, SMTP servers may perform a DNS lookup to find the MX records for a domain. Messages from your server may be rejected if an MX record for your domain is associated with a Spectrum application, as the IP address of server will not match the Spectrum IP address. ## Ports Cloudflare supports all TCP ports. ## Port ranges Spectrum applications can be configured to proxy traffic on ranges of ports. For direct origins: ``` { "protocol": "tcp/1000-2000", "dns": { "type": "CNAME", "name": "range.example.com" }, "origin_direct": ["tcp://192.0.2.1:3000-4000"] } ``` For DNS origins: ``` { "protocol": "tcp/1000-2000", "dns": { "type": "CNAME", "name": "range.example.com" }, "origin_dns": { "name": "origin.example.com", "ttl": 1200 }, "origin_port": "3000-4000" } ``` The number of ports in an origin port range must match the number of ports specified in the `protocol` field. Connections to a port within a port range at the edge will be proxied to the equivalent port offset in the origin range. For example, in the configurations above, a connection to `range.example.com:1005` would be proxied to port 3005 on the origin. ## IP Access rules If IP Access rules are enabled for a Spectrum application, Cloudflare will respect the IP Access rules created under **Security** \> **WAF** \> **Tools** for that domain. Cloudflare only respects rules created for specific IP addresses, IP blocks, countries, or ASNs for Spectrum applications. Spectrum will also only respect rules created with the actions `allow` or `block`. Note Network analytics data for Spectrum does not reflect the outcomes of IP Access rules. Instead, to verify whether traffic was allowed or blocked based on these rules, consult the Spectrum event logs. ## Argo Smart Routing Once Argo Smart Routing is enabled for your application, traffic will automatically be routed through the fastest and most reliable network path available. Argo Smart Routing is available for TCP and UDP (beta) applications. ## Edge TLS Termination If you enable **Edge TLS Termination** for a Spectrum application, Cloudflare will encrypt traffic for the application at the Edge. The Edge TLS Termination toggle applies only to TCP applications. Spectrum offers three modes of TLS termination: 'Flexible', 'Full', and 'Full (Strict)'. 'Flexible' enables termination of the client connection at the edge, but does not enable TLS from Cloudflare to your origin. Traffic will be sent over an encrypted connection from the client to Cloudflare, but not from Cloudflare to the origin. 'Full' specifies that traffic from Cloudflare to the origin will also be encrypted but without certificate validation. When set to 'Full (Strict)', traffic from Cloudflare to the origin will also be encrypted with strict validation of the origin certificate. TLS versions supported by Spectrum include TLS 1.1, TLS 1.2, and TLS 1.3. You can manage this through the Spectrum app at the Cloudflare dashboard, or using the [Spectrum API endpoint](https://developers.cloudflare.com/api/resources/spectrum/subresources/apps/methods/update/). Note If you have the TLS termination setting configured to **off**, this means that Spectrum will then proxy connections to the origin without decrypting. The certificate that is presented in this case will be the certificate installed at your origin server, instead of the Edge Certificate from Cloudflare. Warning If you need to control TLS settings, like the minimum TLS version or cipher suites, you need to use an HTTPS application. For TCP applications, default settings will apply. The minimum TLS version will be 1.1 and the cipher suites are: | OpenSSL Name | | ----------------------------- | | AEAD-CHACHA20-POLY1305-SHA256 | | AEAD-AES128-GCM-SHA256 | | AEAD-AES256-GCM-SHA384 | | ECDHE-RSA-CHACHA20-POLY1305 | | ECDHE-ECDSA-CHACHA20-POLY1305 | | ECDHE-RSA-AES128-GCM-SHA256 | | ECDHE-ECDSA-AES128-GCM-SHA256 | | ECDHE-RSA-AES256-GCM-SHA384 | | ECDHE-ECDSA-AES256-GCM-SHA384 | | ECDHE-RSA-AES128-SHA256 | | ECDHE-RSA-AES128-SHA | | CDHE-ECDSA-AES128-SHA256 | | ECDHE-ECDSA-AES128-SHA | | ECDHE-RSA-AES256-SHA | | ECDHE-ECDSA-AES256-SHA | | AES128-GCM-SHA256 | | AES256-GCM-SHA384 | | AES128-SHA256 | | AES128-SHA | | AES256-SHA | | ECDHE-RSA-DES-CBC3-SHA | | DES-CBC3-SHA | ## Origin TLS Termination Below are the cipher suites Cloudflare presents to origins during an SSL/TLS handshake. For cipher suites supported at our edge or presented to browsers and other user agents, refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). The cipher suites below are ordered based on how they appear in the ClientHello, communicating our preference to the origin. Customers do not have the ability to modify the ciphers used by Spectrum. ## Supported cipher suites by protocol | OpenSSL Name | TLS 1.1 | TLS 1.2 | TLS 1.3 | | ---------------------------------------------------- | ------- | ------- | ------- | | AEAD-AES128-GCM-SHA256[1](#user-content-fn-1) | ❌ | ❌ | ✅ | | AEAD-AES256-GCM-SHA384[1](#user-content-fn-1) | ❌ | ❌ | ✅ | | AEAD-CHACHA20-POLY1305-SHA256[1](#user-content-fn-1) | ❌ | ❌ | ✅ | | ECDHE-ECDSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ | | ECDHE-RSA-AES128-GCM-SHA256 | ❌ | ✅ | ❌ | | ECDHE-RSA-AES128-SHA | ✅ | ✅ | ❌ | | AES128-GCM-SHA256 | ❌ | ✅ | ❌ | | AES128-SHA | ✅ | ✅ | ❌ | | AES256-SHA | ✅ | ✅ | ❌ | ## Footnotes 1. Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, only specifying the symmetric ciphers, and cannot be used for TLS 1.2\. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 ([RFC 8446 ↗](https://www.rfc-editor.org/rfc/rfc8446.html)). BoringSSL also hard-codes cipher preferences in this order for TLS 1.3\. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/#tls-13-cipher-suites) for details. [↩](#user-content-fnref-1) [↩2](#user-content-fnref-1-2) [↩3](#user-content-fnref-1-3) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/configuration-options/","name":"Configuration options"}}]} ``` --- --- title: Why Spectrum-enabled hostnames might appear in Layer 7 Analytics description: Even when you have Spectrum enabled to handle Layer 4 traffic (for example, TCP/UDP connections), you may still notice traffic in your Layer 7 (L7) analytics dashboard. This is due to the way Cloudflare's Layer 7 CDN and Spectrum handle customer identity differently. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/layer-7-analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Why Spectrum-enabled hostnames might appear in Layer 7 Analytics Even when you have Spectrum enabled to handle Layer 4 traffic (for example, TCP/UDP connections), you may still notice traffic in your Layer 7 (L7) analytics dashboard. This is due to the way Cloudflare's Layer 7 CDNand Spectrum handle customer identity differently. ## How Spectrum identifies a user (Layer 4) In Spectrum, the identity of the customer hostname is based on the Cloudflare IP address that the client uses to connect to the edge. Here is the typical process: 1. Spectrum sets up a DNS hostname in the customer's zone that points to its Spectrum edge IP, and links this edge IP and port to the customer's configuration. 2. The client performs a DNS lookup on the Spectrum hostname, retrieves the Spectrum edge IP, and connects to that IP and port. 3. Spectrum uses this edge IP and port to match the connection to the customer's configuration, identifying the customer. This process focuses on Layer 4 associating a hostname and customer configuration around IP addresses and ports. ## How the CDN identifies a user (Layer 7) 1. The customer sets up a DNS hostname in their zone that directs traffic to their origin server. 2. The client performs a DNS lookup on the CDN hostname, and the DNS server responds with a CDN edge IP. In contrast to Spectrum, the CDN edge IP is primarily used for traffic management rather than customer identity, as multiple customers can share the same CDN edge IP. For the CDN, identifying the customer relies heavily on resolving hostnames during the TLS handshake (SNI) and the HTTP request (`Host` header). Notably, the CDN is designed to accept any hostname that matches the customer's zone (for example, `*.example.com`), even if there is no specific Layer 7 DNS match. This means that even Spectrum or Load Balancer hostnames will be accepted as valid under `*.example.com`. ## The overlap: Layer 7 traffic being proxied through Spectrum Because the CDN is designed to accept any hostname under your zone (for example, `spectrum.example.com`), HTTP traffic that should first be proxied by Spectrum, or even HTTP traffic meant for a Layer-4-only Spectrum app, may sometimes be processed directly by the Layer 7 CDN system. The process is the following: 1. The client connects to a Layer 7 CDN edge IP while using the hostname of a Spectrum application (for example, `spectrum.example.com`) during both the TLS handshake and the HTTP request. Essentially, this means the client is attempting to access `spectrum.example.com` on an incorrect IP. 2. The CDN accepts this hostname as part of the customer zone during both the TLS and HTTP phases because it is designed to recognize any hostname under `*.example.com`. As a result, the request passes through the CDN under the zone's identity. 3. However, when the CDN attempts to connect to the origin server, it performs an internal DNS lookup of the HTTP hostname, which resolves to the Spectrum IP (from `spectrum.example.com` to the Spectrum edge IP). Consequently, the CDN establishes an origin connection to Spectrum, loading its configuration and forwarding the request to the Spectrum origin. This means traffic for this hostname undergoes the standard Layer 7 CDN products, including Analytics and logs. ## Blocking unwanted L7 traffic If you want to prevent traffic for Layer-4-only Spectrum hostnames from being proxied through Layer 7 to your origin (including unwanted scans or requests), we recommend implementing a Layer 7 WAF (Web Application Firewall) rule. This rule can block traffic directed at specific hostnames or ports, ensuring that only legitimate traffic reaches your Spectrum service. For example, you can create a WAF rule to block requests to `spectrum.example.com` unless they originate from a Spectrum IP or a customer's Spectrum BYOIP. The traffic will still be logged in Layer 7 Analytics, including WAF Security Events, but this prevents it from arriving at the wrong address and looping through the CDN a second time. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/layer-7-analytics/","name":"Why Spectrum-enabled hostnames might appear in Layer 7 Analytics"}}]} ``` --- --- title: Limitations description: The following limitations apply to different protocols supported by Spectrum. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/limitations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Limitations The following limitations apply to different protocols supported by Spectrum. ## HTTPS At the moment, HTTPS applications do not support HTTP/3. ## UDP At the moment, Cloudflare does not support packet fragmentation for UDP packets. If packets are fragmented, they will be dropped at Cloudflare’s edge. Additionally, UDP Spectrum applications are not supported on Magic Transit, BYOIP, Spectrum, and Bindings. ## Minecraft Minecraft Java Edition is supported but Minecraft Bedrock Edition is not supported. ## Universal SSL [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) is not compatible with Cloudflare Spectrum. Use either an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) or a [custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) instead. ## Private Network Load Balancing When using [Spectrum](https://developers.cloudflare.com/load-balancing/private-network/#on-ramps) as an on-ramp and [Cloudflare WAN](https://developers.cloudflare.com/load-balancing/private-network/#cloudflare-wan) as an off-ramp the [proxy protocol](https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/) setting in Spectrum is not supported. ## Cloudflare Tunnel Integrating Spectrum with [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is only supported for **HTTP/HTTPS** applications. This is because Spectrum must upstream the request through the [Layer 7 CDN products](https://developers.cloudflare.com/spectrum/reference/layer-7-analytics/#the-overlap-layer-7-traffic-being-proxied-through-spectrum) to reach the Tunnel service. To correctly route traffic from Spectrum through a Cloudflare Tunnel, you must: 1. Configure your Spectrum application with the type set to **HTTP** or **HTTPS**. 2. Point the Spectrum application's origin to a hostname that is already [routing traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) through your Cloudflare Tunnel (for example, via a [DNS record](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) or [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)). Using a Spectrum application of any other type (for example, TCP) with a Cloudflare Tunnel origin is not supported. Pointing a Spectrum application's origin directly to your Tunnel's subdomain (`.cfargotunnel.com`) is also not a valid configuration and will not work. ## Listen on ports configuration By default, Spectrum is configured to listen on all ports, which can raise concerns for security auditors. However, it is important to note that Spectrum will only proxy connections from edge ports that are specifically configured within Cloudflare. When a TCP handshake is initiated to any port for a Spectrum IP, the handshake will always be completed. If there is a Spectrum application configured for the port, the connection will be proxied to origin. If no application is configured, the connection is immediately terminated and no origin connection will be opened. Spectrum will only ever proxy traffic to an origin if there is a Spectrum application configured for that port. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/limitations/","name":"Limitations"}}]} ``` --- --- title: Event logs description: Spectrum logs the entire lifecycle of every client that connects through it. These event logs are available through Logpush as a separate category (dataset type spectrum_events); they are not part of HTTP log events. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Event logs Spectrum logs the entire lifecycle of every client that connects through it. These event logs are available through Logpush as a separate category (dataset type `spectrum_events`); they are not part of HTTP log events. For each connection, Spectrum logs a connect event and either a disconnect or error event. Details on status codes can be found below. ## Configure Logpush Spectrum [log events](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/) can be configured through the dashboard or API, depending on your preferred [destination](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/). ## Status Codes | Code | Description | | ---- | -------------------------------------------------------------------------------------------------- | | 0 | Connection was opened successfully. | | 200 | Normal connection closure. | | 400 | The TLS client hello sent during the client/edge TLS handshake contained an invalid SNI. | | 403 | Connection closed because the client IP matched a firewall rule with deny action. | | 443 | The client TLS handshake failed. | | 444 | The origin closed the connection by sending a reset (RST) packet. Not all data may have been sent. | | 445 | A timeout event (ETIMEDOUT) occurred on an established connection to origin. | | 446 | Origin keepalive expired (EHOSTUNREACH). | | 447 | Error while reading from or writing to an established origin connection (ECONNREFUSED). | | 448 | Origin connection closed due to a broken pipe (EPIPE). | | 490 | Client TLS error on established connection. | | 495 | Client connection received an error (ECONNREFUSED). | | 496 | Client host is unreachable (EHOSTUNREACH). | | 497 | A timeout event (ETIMEDOUT) occurred on an established connection to client. | | 498 | Established client connection closed due to broken pipe (EPIPE). | | 499 | The client closed the connection by sending a reset (RST) packet. Not all data may have been sent. | | 500 | Internal Cloudflare error. | | 503 | Error related to performing the TLS handshake with keyless SSL. | | 520 | Unknown origin connection error. | | 521 | Origin refused to open the connection (ECONNREFUSED). | | 522 | Opening a connection to origin failed: ETIMEDOUT | | 523 | Opening a connection to origin failed: ENETUNREACH | | 524 | Opening a connection to origin failed due to an internal system error. | | 530 | Internal error while resolving origin to an IP. | | 531 | Could not resolve origin to an IP. | | 532 | The origin connection was not opened because the origin IP is blocked. | | 533 | Internal error while resolving origin to an IP. | | 540 | The client/edge TLS handshake failed due to an invalid configuration. | | 999 | Unknown connection error. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/logs/","name":"Event logs"}}]} ``` --- --- title: Settings by plan description: Certain fields in Spectrum request and response bodies require an Enterprise plan. To upgrade your plan, contact your account team. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/settings-by-plan.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Settings by plan Certain fields in Spectrum request and response bodies require an Enterprise plan. To upgrade your plan, contact your account team. Spectrum properties requiring an Enterprise plan: | Name | Type | Description | Example | | -------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | | origin\_dns | object | Method and parameters used to discover the origin server address via DNS. Valid record types are A, AAAA, SRV and empty (both A and AAA).A request must contain either an origin\_dns parameter or an origin\_direct parameter. When both are specified the service returns an HTTP 400 Bad Request. | origin\_dns: {type: A, name: mqtt.example.com, ttl: 1200} | | origin\_port | integer | The destination port at the origin. | 22 | | proxy\_protocol | string | Enables Proxy Protocol to the origin. Spectrum supports v1, v2, and simple proxy protocols. Refer to [Proxy Protocol](https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/) for more details. | off | | ip\_firewall | boolean | Enables IP Access rules for this application. | true | | tls | string | Type of TLS termination for the application. Options are off (default, also known as Passthrough), flexible, full, and strict. Refer to [Configuration Options](https://developers.cloudflare.com/spectrum/reference/configuration-options/) for descriptions of each. | full | | argo\_smart\_routing | boolean | Enables Argo Smart Routing for the application. Note that it is only available for TCP applications with traffic\_type set to direct. | true | Review the [Spectrum API documentation](https://developers.cloudflare.com/api/resources/spectrum/subresources/apps/methods/list/) for example API requests. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/settings-by-plan/","name":"Settings by plan"}}]} ``` --- --- title: Simple Proxy Protocol Header description: The client source IP and port is encoded in a fixed-length, 38-octet long header and prepended to the payload of each proxied UDP datagram in the format described below. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/spectrum/reference/simple-proxy-protocol-header.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Simple Proxy Protocol Header The client source IP and port is encoded in a fixed-length, 38-octet long header and prepended to the payload of each proxied UDP datagram in the format described below. ``` 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Magic Number | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + | | + Client Address + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + | | + Proxy Address + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Client Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Proxy Port | Payload... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ``` The contents of the header are below. ## Magic Number 16-bit fixed value set to 0x56EC for SPP. This field should be used to identify the SPP protocol and its SPP 38-byte header. ## Client Address 128-bit address of the originator of the proxied UDP datagram, that is, the client. An IPv6 address if the client used IPv6 addressing, or an IPv4-mapped IPv6 address (refer to [RFC 4291 ↗](https://tools.ietf.org/html/rfc4291)) in case of an IPv4 client. ## Proxy address 128-bit address of the recipient of the proxied UDP datagram, that is the proxy. Contents should be interpreted in the same way as the Client Address. ## Client port 16-bit source port number of the proxied UDP datagram. In other words, the UDP port number from which the client sent the datagram. ## Proxy port 16-bit destination port number of the proxied UDP datagram. In other words, the UDP port number on which the proxy received the datagram. ## Payload Data following the header carried by the datagram. Magic number, addresses, and port numbers are encoded in network byte order. A corresponding C structure describing the header is: ``` struct { uint16_t magic; uint8_t client_addr[16]; uint8_t proxy_addr[16]; uint16_t client_port; uint16_t proxy_port; }; ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/spectrum/","name":"Spectrum"}},{"@type":"ListItem","position":3,"item":{"@id":"/spectrum/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/spectrum/reference/simple-proxy-protocol-header/","name":"Simple Proxy Protocol Header"}}]} ```