Star now comes with 50 GB instead of 15, and the price is the same. Use code for 30% off your first 3 months - limited to the first 10 people. Get started
Engineering

How our CDN relay works

How our CDN relay works
Findley Lucas
Findley Lucas
Share:

In Aster, we have a setting called Connection. It has two options:

  • Direct (the default)
  • CDN Relay

This one is not about encryption, and it is not about where your files are stored. It is about how your device reaches our servers over the network. It changes the path your traffic takes to get to us and nothing else, so it is worth being clear about what each option does, and what it does not do.

Direct

Direct is the default option whenever you create your account. Your client opens a connection to our server and talks to it from there. When you have the Direct setting enabled, there is nothing sitting in between, which makes it the fastest option. The trade-off is the connection itself. Whenever your device connects to us, our edge sees your IP address at that moment, the same way any site you visit does. We do not store this IP address, and our audit logs only ever keep a keyed hash of it and never the address. Rate limiting holds the raw value in memory only briefly, for the length of the rate-limit window, and then drops it.

CDN Relay

CDN Relay will put a relay in front of us. Instead of reaching our API directly, your client will talk to our relay, which runs on Cloudflare’s network. The relay passes your request through to our backend and hands the response back to you.

The point of this is not speed, it’s reach. Your traffic will travel over the same network that carries a large share of the web, so it is harder to single out and harder to block. Blocking it means blocking way more than just Aster. If the direct path to us is ever filtered or unreliable where you’re located, then relay is probably the best way to go.

What the relay does not do

We want to be clear about one thing because it is quite easy to assume the opposite. The relay does not hide your IP address from us.

When a request comes through the relay, it reads your real IP and then forwards it to our backend with a header containing a secret that only our servers hold, so a client is unable to forge it. Our backend then treats that IP address exactly the way it would on a direct connection:

  • Hashed for abuse detection
  • Held in memory for rate limiting
  • Never stored in plain text

The relay changes who along the way can see that you are using Aster.

If your goal is to keep your IP hidden from us as well, you can either run Aster over Tor or a trusted VPN.

It is a narrow door, on purpose

The relay is not an open proxy. It only accepts requests coming from the Aster web app and our own desktop and mobile clients, and it turns everything else away. It also caps how large a request can be, and it forwards a fixed list of headers in each direction without doing anything else. It exists to carry your traffic to us and do nothing else with it.

Share:
Findley Lucas
Findley Lucas

Founder and CEO of Aster Privacy.

Related posts

Hi, we're Aster. Here's what we care about.
Company News

Hi, we're Aster. Here's what we care about.

Aster's mission and the five values we won't trade away: privacy as a right, security that's easy, full open source, no lock-in, and answering to users, not investors. With receipts.
What does "end-to-end encrypted" really mean
Engineering

What does "end-to-end encrypted" really mean

An exact list of what Aster Mail encrypts on your device, what our servers can still see, and an honest explanation of why each piece of metadata exists.
How Aster encrypts your email
Engineering

How Aster encrypts your email

A complete, honest look at how Aster encrypts your email — from key derivation and post-quantum protection to the metadata we store in plaintext and why.