Note: I haven’t setup a CF site yet; I’m still gathering information to decide whether I want to use the service. If my below description/understanding of how CF operates is incorrect, please provide correction in a comment.
As I was reviewing CF’s documentation for their WAF firewall, I saw the following note:
- Access to
http.request.cookiesfield requires a Cloudflare Pro, Business, or Enterprise plan.
Of course CF is a business and can’t give away all their services for free…but it got me thinking that if they block cookies sent from the user’s browser [e.g. for free users], what data might an attacker who managed to breach the CF network block or alter in transit?
For regular websites, usually TLS handles data security between the client and the server so that you have a configuration like:
Client <-> TLS <-> Server
Here, the client is communicating directly with the source server using a negotiated secret key.
But with CF, it looks like you have a configuration like this:
Client <-> TLS1 <-> CF <-> TLS2 <-> Server
In this CF configuration, clients are securely communicating with CF servers using a key associated with TLS1 and then CF decrypts the user data, [modifies?] and re-encrypts the data using a separate key associated with TLS2 to the source server. Responses from the server to the client perform the same steps, but in reverse. Using this configuration, CF has the ability to read/modify data from both the client and the server – it’s effectively a “man-in-the-middle” proxy.
To maintain security/integrity, between the client and my source server, what I really want is for CF to send the client the source server’s TLS certificate so that the connection looks like this:
Client <-> CF <-> TLS <-> Server
In this configuration, CF is just a pass-through proxy; the client makes a TLS request, CF applies whatever options I’ve applied [eg. firewall rules] and then proxies the connection directly to the source server so that source server negotiates the TLS key exchange. The source server response to CF is similarly a pass-through back to the client.
Looking at the CF plans/feature matrix, it looks like only enterprise and business plans are permitted to supply their own certificates?? Is that correct? Why?
I realize that by using CF as a direct-pass through proxy, the key exchange burden rests solely on the source server which can be an issue for DDoS protection features, but my website is almost entirely dynamic (extremely little static content) so that my backend source server is going to be handling the bulk of the processing anyways.
What I’m really looking for from CF is the ability to geoblock and intelligently work with implicitly blocking malicious connection attempts (e.g. by monitoring the CF network to identify malicious connections and block them from ever reaching my source server in the first place)
Many of the CF features seem intriguing, but so far I keep finding myself needing the business/enterprise plans to achieve a basic configuration that I would find acceptable. Unfortunately, I’m only an individual at the moment/can’t afford those higher tiered plans.
I’d love to hear that there is another way to achieve this functionality with the Pro plan (or something in-between Pro and Business.) It’s late here so I may have overlooked something.
As always, thank you for all helpful input.