New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How CloudFlare handles SSL (and alt options to handle DDoS)
A buddy of mine is planning to get the business package for CloudFlare (his site got DDoSed recently). CloudFlare claims to provide Full SSL option for business customers - https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-three-SSL-options-off-Flexible-Full-mean- .
Does that mean CloudFlare cannot see the data being sent from his customers to his server? He prefers to keep his customer private info unavailable to cloudflare. Is this possible at all?
Are there any other DDoS mitigation strategies (without much support from the NOC) that can help him?
Thanks in advance.
Comments
All the traffic from the site would be passed through Cloudflare, as they are the ones who will be stopping the attacks this must be done. The same would happen for any solution.
Cloudflare acts as a middle man proxy for your site . Full ssl is encrypted going from you -> Cloudflare and from Cloudflare to your users.
Ah, thanks for clarifying it. So Cloudflare really isnt an option for him
Are there any reverse proxies that can just filter out udp packets and stuff, and just redirect ssl traffic alone to him.
http://blog.cloudflare.com/2013-refactoring-2014-stepping-on-the-gas
@iamm If the traffic is being filtered it would have to go through a provider either way. Many large businesses and websites use cloudflare such as imgur, i wouldn't see any reason for concern using them for a website.
They are very open about their policies and tech they use.
"We'll be adding functionality to the Pro SSL (ability to use your own cert -- in most instances). The Free will have similar SSL features to the current Pro accounts but with some limitations for old browsers based on a technical limitation. Stay tuned"
By Cloudflare's mod.
@sundaymouse CEO
I am afraid that CF will still be the one to first terminate the SSL traffic first so it doesn't really fit what the OP wants.
I guess he is just being unduly paranoid about Cloudflare. And yes, I do realize some of the big names use Cloudflare. For DDoS protection, they seem to be the best option for him. I will just ask him to sign up for it.
Thanks for the responses everyone.
Hm, I remember reading back a few months ago about someone who bought a BuyVM with a DDoS protected IP and used that as a proxy? I never really thought much of it, is this even possible?
http://blog.a-r-d.me/how-to-set-up-a-reverse-proxy-with-ssl/
Get a DDOS protected VM as a reverse proxy