is my caddy traffic still encrypted when routed through cloudflare tunnels?
i'm running caddy as a reverse proxy and would like to keep the flexibility it gives me for redirects, subpaths, etc. but need the benefits of something like cloudflare tunnels for cgnat issues.
for privacy purposes, if i'm just passing caddy through the tunnel, is my traffic still encrypted in a way that not even cloudflare would be able to see it unless they have the let's encrypt key that caddy also uses?
6 Replies
No. All traffic is decrypt by Cloudflare so they know how to route it then re-encrypted and sent on
does it get th encryption key from caddy to be able to do that?
no, since Cloudflare has control of your dns, they just issue a certificate (universal ssl) for themselves and then respond with dns queries to their proxy servers. Their proxy servers respond with their issued cert, so they decrypt the traffic and can send it through waf/know how to deal with it. Then it's re-encrypted to send to your origin as needed
Your server will always see the tunnel agent (cloudflared) as the client, so it's always interacting with it as the "end user" in its eyes. Traffic is then re-encrypted to flow back through Cloudflare's network and out to actual "human"-ish end users (and bots).
There are no keys being compromised, just a trusted MITM/proxy system in place essentially.
ahh, that makes sense. thanks for the explanation!
It's also something to keep in mind when dealing with firewall rules. Still trips me up occasionally at times lol