I’ll be more specific: if you set up a website on your own server, and use Cloudflare as a reverse proxy. If you do SSL yourself, on your own server, then the traffic is encrypted between the client and your server, and therefore Cloudflare cannot read it, they do not have the encryption keys, even though the traffic is passing through them. If you use Cloudflare’s https solution, Cloudflare provides the keys and decrypts the traffic before passing it on.
The former is the more secure way to do it, but they encourage you to do it the way where they get to read all the traffic, which is pretty shady of them, because if a website has https people assume that means it is end to end encrypted to the website itself, but that assumption is being violated here and a user has no way to know.
You should check the certificate shown to clients when accessing your domain. I think you’ll find that it is not the certificate that you created outside of Cloudflare. Cloudflare doesn’t need your private key as they issue a certificate for your domain to themselves and use that for the connection with the client. The certificate you created is used between Cloudflare and your server. The only option I’m aware to route traffic through Cloudflare where they don’t terminate SSL is an enterprise only feature.
I checked just to be sure (and debugged some problems while I was at it like the certificate having been expired), the certificate is from Let’s Encrypt via certbot.
Here is how to configure Cloudflare for this (I am using the free version):
In the settings under SSL/TLS Overview, in “Configure encryption mode”, select “Custom SSL/TLS” instead of “Automatic SSL/TLS (default)”, and under that select Full:
Full
Enable encryption end-to-end. Use this mode when your origin server supports SSL certification but does not use a valid, publicly trusted certificate.
Edit: looking into it more, might have been mistaken about how this works
Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:
Replace your-domain-here.org with your domain and your-ip-here with your actual server IP, but also do it with the Cloudflare IP.
The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.
If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.
I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.
I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.
How can they act as a proxy if they can’t terminate the connection?
Why wouldn’t they be able to? The DNS record points to Cloudflare’s IP, they forward the traffic to your server’s IP. This is a common choice for self hosting setups because it’s a free service and it is a way to avoid pointing a DNS record at your home IP, which you may not want everyone to know. That doesn’t require decrypting the traffic.
How this squares with the ddos protection and caching stuff, I’m not sure, but I know I set up SSL locally, did not give Cloudflare the keys, turned off all the options for them to handle it, and everything seems to work.
Even if you don’t use Cloudflare’s https they still need the private keys to work. So they can read all traffic either way.
I’ll be more specific: if you set up a website on your own server, and use Cloudflare as a reverse proxy. If you do SSL yourself, on your own server, then the traffic is encrypted between the client and your server, and therefore Cloudflare cannot read it, they do not have the encryption keys, even though the traffic is passing through them. If you use Cloudflare’s https solution, Cloudflare provides the keys and decrypts the traffic before passing it on.
The former is the more secure way to do it, but they encourage you to do it the way where they get to read all the traffic, which is pretty shady of them, because if a website has https people assume that means it is end to end encrypted to the website itself, but that assumption is being violated here and a user has no way to know.
You should check the certificate shown to clients when accessing your domain. I think you’ll find that it is not the certificate that you created outside of Cloudflare. Cloudflare doesn’t need your private key as they issue a certificate for your domain to themselves and use that for the connection with the client. The certificate you created is used between Cloudflare and your server. The only option I’m aware to route traffic through Cloudflare where they don’t terminate SSL is an enterprise only feature.
I checked just to be sure (and debugged some problems while I was at it like the certificate having been expired), the certificate is from Let’s Encrypt via certbot.
Here is how to configure Cloudflare for this (I am using the free version):
In the settings under SSL/TLS Overview, in “Configure encryption mode”, select “Custom SSL/TLS” instead of “Automatic SSL/TLS (default)”, and under that select Full:
Edit: looking into it more, might have been mistaken about how this works
Please actually compare the certificate when connecting to your server directly (bypassing Cloudflare) and connecting via Cloudflare. An easy way to do this is with openssl CLI:
openssl s_client -servername your-domain-here.org -connect your-ip-here:443 < /dev/null 2>/dev/null | openssl x509 -text -nooutReplace
your-domain-here.orgwith your domain andyour-ip-herewith your actual server IP, but also do it with the Cloudflare IP.The section about the “Full (strict)” / “Full” is referring to how Cloudflare verifies the certificate (or not in the case of Flexible and off) between your origin server and Cloudflare – this is not with respect to the client and Cloudflare. The Custom origin certificates are also with respect to Cloudflare and your server (has no impact on certificate used between the client and Cloudflare). Cloudflare still uses a separate certificate that they have issued to themselves and hold the private key to use for the client.
If you pay extra for their “Advanced Certificate Manager”, this allows you to upload a custom certificate to be used between the client and Cloudflare, but you have to provide the private key to Cloudflare because they still terminate SSL/TLS at their servers. Even their “Total TLS” service (part of ACM and the word “Total” could be mistaken to be “total” as in from client all the way to your origin server) does not provide E2EE.
I may be unaware of a newer service offering, but the only way that I’m aware of to get true E2EE is on their Enterprise plan (Keyless TLS). I have a lot of experience with Cloudflare for both personal and Enterprise plan (I was the technical person in charge of the account and configuring and such). Granted, I’ve not been dealing with CF enterprise for a few years now and they may have a new service offering outside of enterprise that I’m not familiar with, but my quick look around still looks like everything aside from Keyless TLS requires either giving them the key (in the case of ACM custom certificates) or they use their own certificate for client <-> Cloudflare. When I did manage the enterprise plan, we actually didn’t use Keyless TLS because we used features that required them to terminate TLS anyway, so I can’t speak to the specifics of it.
I hope I’m wrong though. I’d love to have true E2EE while still getting the DDoS protection on my personal stuff.
How can they act as a proxy if they can’t terminate the connection? Or what service does that offer?
I guess they could filter out some connections based on IP addresses. But is that enough for some customers? Or am I overlooking something?
Why wouldn’t they be able to? The DNS record points to Cloudflare’s IP, they forward the traffic to your server’s IP. This is a common choice for self hosting setups because it’s a free service and it is a way to avoid pointing a DNS record at your home IP, which you may not want everyone to know. That doesn’t require decrypting the traffic.
How this squares with the ddos protection and caching stuff, I’m not sure, but I know I set up SSL locally, did not give Cloudflare the keys, turned off all the options for them to handle it, and everything seems to work.
Thanks! I hadn’t considered just wanting to hide your own IP.
deleted by creator
That’s true if you’re proxying your traffic for DDoS protection, but you don’t need to do that to use them as a DNS, if you must.