Ebbflow provides a Client that you can use to easily server your endpoint with, see details of that here!!
It works by routing your endpoint to ebbflow through DNS using an A record,
or CNAME record for non-root domains. Clients will request your website,
example.com, and DNS will direct them to ebbflow. Then ebbflow sees the customer is
example.com, and routes the client connection to one of your server connections.
Servers host endpoints by establishing a TLS connection to ebbflow, using SNI to indicate which endpoint to host, and using TLS Client Authentication to prove to ebbflow that you are allowed to serve the given endpoint.
In practice, this connection is done using the client (see instructions there), OR manually.
To manaully serve an endpoint, and what the client does, is to establish a TLS connection to
ebbflow.io:7070. Additionally, you must do two things:
When using Managed or Hosted endpoints, data is encrypted from client-Ebbflow, decrypted, then re-encrypted to be passed between Ebbflow-server. This is due to there being one TLS connection between Client and Ebbflow, and another between Ebbflow and your server. There is a short time in the middle where the data is not encrypted, but the data on lives in the memory of the Ebbflow server process and is not inspected at all.
Alternatively, you can use a Passthrough endpoint. In this case, Ebbflow just peeks at the ClientHello of the Client (never any data), and then forwards ALL bytes through the Ebbflow-Server TLS connection. This means that Ebbflow's servers are never able to view the plaintext communications. The side-effect is that the data that is passed through the Ebbflow-Server TLS connection is TLS data itself, so the data received through this connection must be treated as TLS data. This results in having to host the TLS certificate of your endpoint on each server.
In the future, the client will be able to host your on-server certificates, but as of now, you must perform the TLS handshake from the data the ebbflow client receives and hits your web-server with.
To create an endpoint, you must be logged in. Head to the create endpoint page and make the first choice - what type of Client certificate management you want.
You must change the DNS records of the endpoint you want to host to point to ebbflow. If you are hosting a root domain, e.g. example.com (no subdomains), then you must use the A record to point to ebbflow's IP address:
188.8.131.52. If you are not using a root record and are using a subdomain, then you can use a CNAME to point to
Note: Wildcard DNS records are not supported.
Instructions are located in the Endpoint Detail page for one of your endpoints. Verification is needed so you cannot squat a domain in case the owner of that domain later adopts Ebbflow. Also, it allows you to verify that your traffic is set up to hit Ebbflow properly.