Ask HN: How to protect users from Cloudflare and server from users?

1 pointsngiyabonga3y ago2 comments

I'm building a privacy centric React app that does all the work client side, using a server only for the static files required for the app to run.

I don't want to expose users to Cloudflare or similarly gag-order / mitm prone services that could theoretically intercept and alter client code that reaches users' browsers. At the same time, I don't want to expose the servers hosting the static files to the world. What are some options to achieve both goals?

2 comments

2 comments · 1 top-level

Bender3y ago· 1 in thread

TL;DR consider making your own mini-CDN. This is an expensive route to go

One could acquire VPS nodes in multiple VPS providers around the world and use something like HAproxy to be the outer-ring of protection and NGinx as a middle ring of memory caching on a different set of VPS accounts and use Wireguard to encrypt the traffic between nodes. Use a different VPS/server provider for your React nodes. Not perfect but perfect is the enemy of good so I am told. It's a bit of work but I think at least attempts to mitigate your concerns. Using something like UltraDNS one could serve up the closest cache node to the visitor via DNS. Not as good as Anycast but only a couple VPS providers support Anycast.

ngiyabongaOP3y ago

Thank you. You got me down quite the rabbit hole. Exploring having a server I control act as Wireguard server and have a VPS act as a client to proxy requests from the outside world inside the tunnel on NGinx machine(s). Been reading into subresource integrity in the browser as well, that seems like it may prevent tampering at another level as well (ISP?). Again, thank you.

j / k navigate · click thread line to collapse