1

My understanding is that the "orange-cloud" [1] is a TLS terminating reverse proxy. Multiple upstream servers share the same Cloudflare Anycast IP. A TLS connection is formed between the client and the orange-cloud, the orange-cloud then makes forwarding decisions based on SNI (HTTPS header) or Host (HTTP header), and a separate connection is formed between the orange-cloud and the upstream server.

My question is, can the orange-cloud be implemented as a "TLS passthrough reverse proxy, based on SNI" instead? For example, the orange-cloud would not terminate the TLS connection, it would form a TCP handshake between the itself and the client, extract the SNI in the TLS clientHello packet to make its forwarding decision. Is this achievable, given that multiple upstream servers share the same anycast IP, and the hostname is only available at the clientHello, to distinguish packets with ip.dest = anycast IP?

Starfish
  • 11
  • 3
  • Why choose orange at all, if they cannot even inject into the HTTP traffic that their machine learning overlords deem unworthy what I typed with my [human hands](https://xkcd.com/1530/)? – anx Jul 21 '22 at 16:52
  • Thanks for the reply @anx. I'm only mentioning orange as an example, other implementations of such services (TLS terminating reverse proxy, with an Anycast IP to hide real addresses) are fine too. I'm only interested in how these are implemented. – Starfish Jul 21 '22 at 18:34

1 Answers1

1

There is, but it's not free: https://www.cloudflare.com/products/cloudflare-spectrum/

Their regular proxy intercepts TLS traffic so that they can do their DDOS protection stuff to it. And probably for some data analytics, I haven't read through their entire privacy policies.

Their paid services do offer TLS pass through.

Grant
  • 17,859
  • 14
  • 72
  • 103
  • Thanks @Grant! Could you explain how such an implementation would work in detail? (e.g. could you answer the last part of my original question) – Starfish Jul 21 '22 at 16:03
  • @Starfish I'm not sure exactly what it is you don't understand. Can you elaborate? – Grant Jul 21 '22 at 19:45