An app currently uses CloudFlare spectrum (TCP passthrough) for DDoS mitigation. This forwards over the internet to AWS (Toronto), where nginx handles TLS termination with a lua openresty extension (for some 60k custom domains). Next, on to a small set of non-clustered varnish instances handling cache, and finally, a Rails app.
I’d like to look into how Fly could improve this setup. A few questions:
- Should moving TLS termination to the edge should help speed up connection time?
- Would it theoretically be faster to pass the unencrypted traffic to the core app through your network instead of using the current path over the internet of Cloudflare->openresty?
- I read your article on the 5-hour CDN, which seems like it would apply here for also moving cache to the edge. I’m interested in this because of the exorbitant quotes from CDN providers for hosting 60k custom domains. What would be a good way to estimate Fly costs given N specific regions?
- Related to 3: This app could be simplified by removing the TLS handling, but as mentioned, that comes at a high cost compared to the zero cost of LE certs used today. Would a volume discount be applicable for an application with this number of custom certs?
- Do you offer the same or similar kinds of DDoS mitigation as companies like Cloudflare or Fastly?