Our workflow is as follows:
A user hits our public domain. They actually hit AWS route53 and that brings them to our Cloudflare DNS proxy. From Cloudflare DNS we go back to AWS and they hit an AWS NLB. The load balancer is 80/443 TCP passthrough, but after that they hit a kubernetes pod with a letsencrypt cert attached to it. My question is specifically about a public user’s browser going through cloudflare (and thus the browser is returned the cloudflare cert) and then through the AWS NLB and then hitting the pod with the letsencrypt cert attached. Here’s what I don’t understand:
Firstly: is cloudflare decrypting the first, original connection, from AWS? And then encrypting it again and THEN initiating a NEW connection to our NLB and then hitting this pod? What’s happening there?
Secondly: how is the cloudflare vs letsencrypt scenario negotiated? In other words: is our letsencrypt able to decrypt this cloudflare traffic? If so, how? Is it because cloudflare and letsencrypt trust each other via cert bundles or what is going on there?