s3和cloudflare灵活的ssl握手 [英] s3 and cloudflare flexible ssl handshakes
问题描述
我想知道此配置的安全性。因此,我有两台服务器,一台用于服务于已编译的静态spa的前端,一台用于充当api的后端。每个人都有来自letencrypt的证书。
我正在尝试通过cloudflare运行前端和s3虚拟主机(cdn.website.com-cname)。
因此,根据我对灵活性的理解,用户和cloudflare之间存在加密,但是cloudflare和服务器之间没有加密。因此,当人们访问该网站时,他们正在cloudflare上使用该网站的缓存版本。因此,这是安全的。那么当cloudflare需要从我的服务器中提取资产时,那是不安全的部分吗?如果我的服务器有证书,则cloudflare会在检索它时使用ssl吗?
因此,在上述内容中,与cloudflare的ssl连接是安全的,因此在通话时它在哪里变得不安全到我的服务器?由于我的api服务器的dns不在cloudflare上,这是否仍会通过ssl / tls发送?
对于图像,为什么在使用flexible时会出现ssl,而在使用full时却出现错误?这是否是由于来自亚马逊的原始拉力是不安全的,但是一旦缓存在cloudflare上,由于人们只遇到cloudflare,它就变得安全了吗?
我想我对A)握手在哪里/何时发生以及B)在哪里感到困惑感到困惑。这些握手发生了吗?
看看cl的FAQ,一切都很好地解释了
因此,根据我的理解,灵活用户和cloudflare之间进行了加密,但是cloudflare和服务器之间没有进行加密。因此,当人们访问该网站时,他们正在cloudflare上使用该网站的缓存版本。因此,这是安全的。那么,当cloudflare需要从我的服务器中提取资产时,是不安全的部分吗?
是。
如果我的服务器有证书,cloudflare会在检索它时使用ssl吗?
是的,具有完整的ssl-不严格!
因此,在上面,与cloudflare的ssl连接是安全的,所以它在哪里变成与服务器对话时是否不安全?
在cf和您的服务器之间。
由于我的api服务器的dns不在cloudflare上,这是否仍会通过ssl / tls发送?
尽管有dns,但通过cf的tls的流量却通过了,不是吗?因此,这取决于您的服务器配置。
对于图像,为什么在使用flexible时出现ssl,但是在使用full时却出现错误?
如果您不在tls上强制使用s3存储桶,而是使用cl和full ssl strict,则会出现错误。因此切换到完全SSL并不严格。或为您的s3获得有效的证书。
这样做有什么含义或有多不安全?
灵活的SSL:如果您的网站上有任何敏感信息,则不建议使用此选项。
I'm wondering how secure this configuration is. So I have two servers, one for the frontend which serves a compiled static spa, and one for the backend which acts as an api. Each have their own cert from letsencrypt.
I'm trying to run my frontend and s3 virtualhost (cdn.website.com - cname) through cloudflare.
So from what I understand with the flexible, there's encryption between the user and cloudflare, but there's no encryption between cloudflare and the server. So when people hit the site, they are using a cached version of the site on cloudflare. So this is secure. So is the insecure part when cloudflare needs to pull the asset from my server? If my server has a certificate, would cloudflare use sslwhen retrieving it?
So in the above, the ssl connection to cloudflare is secure, so where does it become insecure when talking to my server? Since I don't have my api server's dns on cloudflare, would this still end being sent over ssl/tls?
For the images, why does ssl appear when using flexible, but gives an error when using full? Is this due to the original pull from amazon being insecure, but once cached on cloudflare, it becomes secure as people only hit cloudflare? What are the implications, or how insecure, is doing such?
I guess I'm confused on A) where/when are the handshakes occuring, and B) how are these handshakes occuring?
Take a look at the FAQ from cl, everything is pretty well explained here.
So from what I understand with the flexible, there's encryption between the user and cloudflare, but there's no encryption between cloudflare and the server. So when people hit the site, they are using a cached version of the site on cloudflare. So this is secure. So is the insecure part when cloudflare needs to pull the asset from my server?
Yes.
If my server has a certificate, would cloudflare use ssl when retrieving it?
Yes, with full ssl - not strict!
So in the above, the ssl connection to cloudflare is secure, so where does it become insecure when talking to my server?
Between cf and your server.
Since I don't have my api server's dns on cloudflare, would this still end being sent over ssl/tls?
Despite the dns, goes the traffic through cf for tls, no? So it depends on your server config.
For the images, why does ssl appear when using flexible, but gives an error when using full?
If you don't force the s3 bucket on tls and using cl with full ssl strict, you will get an error. So switch to full ssl not strict. Or get a valid cert for your s3.
What are the implications, or how insecure, is doing such?
Flexible SSL: This option is not recommended if you have any sensitive information on your website.
这篇关于s3和cloudflare灵活的ssl握手的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
