I’ve been wrestling with the idea of whether it is wise to allow your vault HTTP endpoint to be accessed in-line with our Cloudflare configuration.
The Cons of how I see it:
i) Mandatory TLS inspection including payload body
ii) No way to stop that unless you disable SSL for the entire domain.
I’m learning and reading most of the vault documentation - but I’d wonder if anyone could set me on a good path as to this issue - and how it could be mitigated. Basically a case of expecting that the TLS connection is not publicly accessible, but it’s accessible to cloudflare - and assuming they can see every request and decrypt it - what can be done?
(not implying cloudflare are doing anything malicious, but more just good standards on our part)