Please add support for end-to-end encryption


Please add an option to use end-to-end encryption with CF.

Basically all I’m looking for from CF is for you to accept connections to my domain from your network IPs (if the incoming connection passes all WAF rules) and then proxy those connections directly to my backend server, where my backend server will handle the TLS termination.

Implementing this should be super simple and more lightweight than relying on CF resources to perform the TLS termination. I’ve run my own configuration of this setup for close to 20 years so I’m really quite shocked CF don’t already offer support for this??

(The motivation considering a move to CF is for the WAF feature – to demonstrate my efforts to geoblock regions that have active privacy legislation [Europe/GDPR, California/CCPA, Virginia…, various segmented locations.] )

Personally, I do not agree with this new model of fragmenting the Internet with geoblocks, but several legal resources recommend doing this to demonstrate services do not target the restricted regions… (Of course there are VPNs, proxies, TOR, … so it’s really just more non-sense, but whatever)

I also noticed CF offers the ability to block by country in their WAF which is great, but it looks like blocking by US state is restricted to Enterprise/Business subscriptions. Why is blocking by state restricted to business accounts?

I’d like to use your services, but I need:

  1. end-to-end TLS encryption terminated at my backend server
  2. the ability to block by country and US-state

I’m happy to pay for a Pro subscription, but can’t yet afford business level subscriptions.

Thank you for your consideration

99% of Cloudflare’s product suite builds on top of terminating TLS at their edge - I don’t see the point in using Cloudflare if you’re going to be blocked off from all of the advantages.

You can use Spectrum TCP (Enterprise) or Magic Transit (Enterprise) to just handle TCP/UDP w/o any TLS termination (optional on Spectrum TCP) - but that’s several thousand per month.

You’d likely be better off implementing such blocks yourself using a GeoIP service like Maxmind.


Yeah, MaxMind is what I currently use. Looking to move more hardware to the cloud and thought CF might be a solution.
(This is a feature request for CF)