Comment by samlinnfer
9 hours ago
I do have a question, is it even possible to have a CDN set up where they don't MITM and strip your TLS and re-encrypt or are we just picking which jurisdiction gets to inspect your traffic?
edit: I'm thinking of the use case where the CDN as a proxy for APIs and uncachable content as well, where it used as a reverse proxy for transit/ddos protection.
Much of the point of a CDN is that they can cache responses, and likely also make other changes. I don't see how that could be done without seeing what's inside the request.
Comparing hashes of responses without knowing what is inside wouldn’t work?
No it would not work. TLS protects against replay attacks by design, the same response (or query) in clear text will not look the same in encrypted traffic
No, as the request headers would be different for things like time.
1 reply →
Probably not. That’d look a lot like a bunch of load balancers around the world hitting your own backend. There’s generally not a way to cache web data without decrypting it inside the cache.
Why would you want a content delivery network for uncachable content? Literally the point of CDN is to cache content and deliver it.
Granted cloudflare also does DDOS protection, and that makes sense for an API. For that you could do some DDOS protection without stripping TLS, but it can only protect against volumetric attacks like syn/ack floods and not against attacks that are establishing full TCP connections and overwhelming the app server. (rate limiting incoming connections can go a long way, but depending on details, it might still be enough to overwhelm the serving resources, your use case is up to you to understand).
It seems like having a feedback loop to the DDOS protector could help a lot - i.e. saying how busy you are.
At some level, it's like they become your edge router.
I mean you can even use Cloudflare in a non-MITM manner. You lose a lot of the "value" of a CDN but they support it. Cloudflare Spectrum would be the product.