ZCS Webmail via CDN, Cloudflare, Cloudbric, Incapsula - anyone tried?

[Labsy]

Hi,

I am thinking about adding an extra layer of security by piping Zimbra Webmail via one of CDN providers, like Cloudflare, Cloudbric, Incapsula or simmilar. All those provide decent protection and traffic even with free plan.
But as they proxy and possibly rewrite some code on delivery to end-user...well, anyone tried?

[phoenix]

Probably a silly question but how does what you're describing give you any more 'security'?

[JDunphy]

Probably a silly question but how does what you're describing give you any more 'security'?

It could... Cloudflare has FW options that they can put up captcha's when under attack before the origin server pages if they detect unusual activity. They can also geo block by regions you pick. A quick look at the FW tab shows me these sections.
Rate Limiting, FW rules, Security level, Challenge Passage, User Agent Blocking, zone lockdown, Access rules, DDoS Mitigation, Firewall Events (WAF) rules, etc.

Because all traffic comes from their ip space, you would FW block your public access and allow them incoming access. That means if you are doing anything yourself (custom) or with DosFilter, you need to fix that or you will penalize the cloudflare ip space. If you have ever been stopped with "I think your a robot or we noticed unusual activity from you", that is most likely a cloudflare false positive. I have used them for websites in the past but never for Zimbra.
I now use them for most of my DNS hosting without any caching and I tried their new registrar services this week. That is at cost so only $7.85 (Network Solution for maintaining root name servers) and $0.18 for ICANN for a .com name. I use them as a hedge for DDoS protection. It also makes it easy to implement some advanced features like DNSSEC or running ipv6 at the perimeter and ipv4 at the origin. They import/export bind format zone files so not locked in.

I use nginx in proxy mode with WAF myself for other things. It was a pain to get right and I initially broke the websites in mysterious ways. I guess my biggest concern is that this is email so if they cache or leak ZM_AUTH_TOKEN, an attacker would have full access to the users email. That TLS endpoint would be them and they would either connect via TLS or http back to the origin server (zimbra). So it's a privacy concern that gives me pause from trying this with my own email. In theory, it should work because nginx is already acting as a proxy for mailboxd. I think it probably would work out of the box as cloudflare is also using nginx I thought. Not sure what they could cache if anything the more I think of this other than some js, css, and a few images, but it could enhance parameter security if one doesn't have a lot of custom things already. Interesting question.