Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How CloudFlare handles SSL (and alt options to handle DDoS)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How CloudFlare handles SSL (and alt options to handle DDoS)

iammiamm Member

A buddy of mine is planning to get the business package for CloudFlare (his site got DDoSed recently). CloudFlare claims to provide Full SSL option for business customers - https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-three-SSL-options-off-Flexible-Full-mean- .

Does that mean CloudFlare cannot see the data being sent from his customers to his server? He prefers to keep his customer private info unavailable to cloudflare. Is this possible at all?

Are there any other DDoS mitigation strategies (without much support from the NOC) that can help him?

Thanks in advance.

Comments

  • Awmusic12635Awmusic12635 Member, Host Rep

    All the traffic from the site would be passed through Cloudflare, as they are the ones who will be stopping the attacks this must be done. The same would happen for any solution.

    Cloudflare acts as a middle man proxy for your site . Full ssl is encrypted going from you -> Cloudflare and from Cloudflare to your users.

    Thanked by 1iamm
  • iammiamm Member
    edited January 2014

    @Fliphost said:
    Cloudflare acts as a middle man proxy for your site . Full ssl is encrypted going from you -> Cloudflare and from Cloudflare to your users.

    Ah, thanks for clarifying it. So Cloudflare really isnt an option for him

    Are there any reverse proxies that can just filter out udp packets and stuff, and just redirect ssl traffic alone to him.

  • bdtechbdtech Member
    edited January 2014

    http://blog.cloudflare.com/2013-refactoring-2014-stepping-on-the-gas

    To that end, in 2014 we will be rolling out SSL with perfect forward secrecy support to all our customers, even those at the free tier. That is a significant challenge for a number of reasons but we believe it's disappointing that there are only about 2 million SSL-protected sites online today. One day in 2014 we plan to double that. We think it's one of the most important things we can do to further our mission of building a better web.

    Thanked by 1Dylan
  • Awmusic12635Awmusic12635 Member, Host Rep
    edited January 2014

    @iamm If the traffic is being filtered it would have to go through a provider either way. Many large businesses and websites use cloudflare such as imgur, i wouldn't see any reason for concern using them for a website.

    They are very open about their policies and tech they use.

    Thanked by 1iamm
  • "We'll be adding functionality to the Pro SSL (ability to use your own cert -- in most instances). The Free will have similar SSL features to the current Pro accounts but with some limitations for old browsers based on a technical limitation. Stay tuned"

    By Cloudflare's mod.

  • klikliklikli Member
    edited January 2014

    sundaymouse said: "We'll be adding functionality to the Pro SSL (ability to use your own cert -- in most instances). The Free will have similar SSL features to the current Pro accounts but with some limitations for old browsers based on a technical limitation. Stay tuned"

    I am afraid that CF will still be the one to first terminate the SSL traffic first so it doesn't really fit what the OP wants.

  • I guess he is just being unduly paranoid about Cloudflare. And yes, I do realize some of the big names use Cloudflare. For DDoS protection, they seem to be the best option for him. I will just ask him to sign up for it.

    Thanks for the responses everyone.

  • Hm, I remember reading back a few months ago about someone who bought a BuyVM with a DDoS protected IP and used that as a proxy? I never really thought much of it, is this even possible?

    Thanked by 1vRozenSch00n
  • @skybucks100 said:
    Hm, I remember reading back a few months ago about someone who bought a BuyVM with a DDoS protected IP and used that as a proxy? I never really thought much of it, is this even possible?

    http://blog.a-r-d.me/how-to-set-up-a-reverse-proxy-with-ssl/

  • Get a DDOS protected VM as a reverse proxy

Sign In or Register to comment.