Can you expose an application to the Internet by cloudflare without TLS termination?
The TLS is typically terminated at Cloudflare servers . This means that CF decrypts the traffic, scans it and re-encrypted it to origin server.
I want the traffic to be end to end encrypted from client to the origin server. This requires TLS pass-through. I want to enforce ACLs at cloudflare as much as possible. For example, IP filtering should be easily doable, but also forwarding client certificate.
Another workaround would be that client authenticates to Cloudflare through some kind of SSO. If authentication is successful, client obtains a token from CF, and then establishes a direct TLS connection with the origin server .
Does anyone know if TLS pass through is possible, and what kind of ACLs can be enforced?
1 Reply
Thanks I see. When traffic is encrypted, some of the ACLs cannot be performed. The man in the middle needs to see some of the information in plaintext in order to authenticate client. I don’t know how L3 proxy works. With L3 proxy as in spectrum or magic transit, what kind of ACLs are possible?
From what I see here only IP filtering is possible
https://developers.cloudflare.com/spectrum/reference/configuration-options/
Also, if there are any workarounds where I could build this myself with CF tools (TLS pass-through with CF ACLs), I appreciate that.
Cloudflare Docs
Configuration options | Cloudflare Spectrum docs
Spectrum is a global TCP and UDP proxy running on Cloudflare’s edge nodes. It does not terminate the connection. Instead it passes through the packets to the backend server.