Much of the point of a CDN is that they can cache responses, and likely also make other changes. I don't see how that could be done without seeing what's inside the request.
replyComparing hashes of responses without knowing what is inside wouldn’t work?
replyNo it would not work. TLS protects against replay attacks by design, the same response (or query) in clear text will not look the same in encrypted traffic
replydeleted
replyNo, as the request headers would be different for things like time.
replyYa maybe. Blocks that are hashed perhaps?
replyProbably not. That’d look a lot like a bunch of load balancers around the world hitting your own backend. There’s generally not a way to cache web data without decrypting it inside the cache.
replydeleted
replyWhy would you want a content delivery network for uncachable content? Literally the point of CDN is to cache content and deliver it.
replyGranted cloudflare also does DDOS protection, and that makes sense for an API. For that you could do some DDOS protection without stripping TLS, but it can only protect against volumetric attacks like syn/ack floods and not against attacks that are establishing full TCP connections and overwhelming the app server. (rate limiting incoming connections can go a long way, but depending on details, it might still be enough to overwhelm the serving resources, your use case is up to you to understand).
It seems like having a feedback loop to the DDOS protector could help a lot - i.e. saying how busy you are.
replyAt some level, it's like they become your edge router.
I mean you can even use Cloudflare in a non-MITM manner. You lose a lot of the "value" of a CDN but they support it. Cloudflare Spectrum would be the product.
reply