top | item 46100849

(no title)

shishcat | 3 months ago

This behavior only works when the reverse proxy or CDN is configured like this:

Proxy/CDN: HTTPS (443) → Origin server: plain HTTP (80)

(example: Cloudflare in Flexible mode)

If the origin server uses any proper TLS configuration, even a self-signed certificate, this method stops working. It only succeeds when the upstream connection to the origin is unsecured.

If you want to test this on a random site without Cloudflare or reverse proxy in general on HTTP: curl http://www.digiboy.ir/boobs.jpg -v

discuss

mort96|3 months ago

Ah, Cloudflare. The world's most widely deployed encryption remover.

dhab|3 months ago

Could someone help me understand. I looked at: https://developers.cloudflare.com/ssl/origin-configuration/s... it seems to support multiple modes.

I didn't quite get if Automatic TLS (https://developers.cloudflare.com/ssl/origin-configuration/s...) could use plain transfers.

So:

* Is it insecure by default or you have to be intentionally insecure?

* Why would anyone pick the flexible/potentially-insecure option?

bawolff|3 months ago

Is it really that different than AWS? You either trust your service provider or you don't.

p0w3n3d|3 months ago

EU should simply do the global surveillance quietly on cloudflare, instead of asking all the countries for the law

</Irony>

spoiler|3 months ago

To be fair, Cloudflare is also the reason why most sites even have TLS at all, because it offered free certs (through letsencrypt I think?) in a fairly easy to set up way.

Certs used to be expensive, and had way more operational overhead and quirks (even setting up ACME/LE)

ranger_danger|3 months ago

I don't think this is true... a reverse proxy/CDN can see the full request URL even if the origin server is using TLS (unless you're using mTLS, which almost nobody is), and we don't even know if it's the proxy/CDN or the origin that is filtering based on keywords... but all of them could be doing it.

bobmcnamara|3 months ago

It'll also work DigiNotar-style, when using the only root CA blessed by the National Information Network for general use: I.R. Iran.

udev4096|3 months ago

Interesting. I was just setting up a LB like this: client ->LB(nginx) ->TLS terminate for LB conn -> proxy_pass to backend which is behind nginx and has separate TLS certs. it's surprisingly easy to configure. Wonder why people still use HTTP at all. Even at home, I have setup LE certs for all local domains

On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it

butvacuum|3 months ago

Because you've now published your internal machine names. Look up certificate transparency logs.

huflungdung|3 months ago

Digiboy is a treasure trove of enterprise software. Where else would I get a pirated hpe ilo license from?