Oblivious HTTP Relay
Last updated 2023-05-31
The Fastly Oblivious HTTP Relay (OHTTP Relay) implements the relay portion of the Oblivious HTTP specification, which allows you to create an OHTTP-compliant service using Fastly. It can be used to build double-blind privacy-enabled Fastly services that transmit requests and responses without direct knowledge of personally identifiable information linked to customers.
Oblivious HTTP is a protocol for forwarding encrypted messages via HTTP. Specifically, OHTTP facilitates the transmission of an encrypted, encapsulated message to an HTTP endpoint from a client to a gateway through a trusted relay service, without delivering identifying information about the end user who made the request or other information that is unnecessary for request processing. Fastly's Oblivious HTTP Relay acts as that relay service.
Using Oblivious HTTP, encrypted messages are created by a client and forwarded via HTTPS to a trusted relay, in this case, Fastly's OHTTP Relay. That relay then forwards it via HTTPS to a gateway. The gateway then removes any request encryption and generates an encrypted response to the original request, forwarding it to a target without ever exposing the client originally making the request.
Fastly's OHTTP Relay product serves as the relay portion of the Oblivious HTTP transmission process. Specifically, the Fastly OHTTP Relay does the following:
- Routes requests and responses. The OHTTP relay routes encrypted, encapsulated messages and corresponding responses between clients and configured backends (OHTTP Gateways).
- Performs simple request and response validation. The OHTTP relay performs simple request and response validation, which you can specify. For example, OHTTP can confirm the message's content type, that the request was received via HTTPS, and that the request was received with a known host and path that maps to a known backend endpoint.
- Removes non-essential request information. The OHTTP relay strips all request headers except those that are required for the correct operation of the Fastly service or that must be passed to the OHTTP Gateway. At your request, Fastly can configure specific headers as long as they don't contain personally identifiable information.
To maintain the privacy hygiene of messages and their corresponding responses, OHTTP Relay will not permit the following:
- You will not be able to use the web interface or API to control your OHTTP-enabled service configuration. After the OHTTP-enabled service is created, you must contact Fastly to make modifications to the service configuration.
- You cannot decrypt encapsulated messages. No visibility or introspection into the nature of the end user request is possible within Fastly's OHTTP Relay. Fastly does not have the keys to decrypt messages.
- You will not be able to log any personally identifiable information. No personally identifying data is available for log delivery.
To implement Fastly's OHTTP Relay, you must contact Fastly at firstname.lastname@example.org to begin the onboarding process. As part of that process, you will be expected to provide Fastly's Professional Services team with a frontend hostname for the relay service and a backend hostname for the gateway service through which headers will pass.
In addition, you can also request the inclusion of additional HTTP headers beyond
Host that should not be stripped from requests and responses during validation. If you specify additional headers, you must confirm that they will not contain personally identifiable information that can be linked to customers.
Our Professional Services staff will use this information to guide you through the onboarding process as part of the initial setup and configuration process for your Fastly service.
Once your service configuration settings are confirmed, they will be enabled for you by Fastly. You will have a Fastly account created for you and will be assigned the role of User so that you can view real-time and historical stats about your service. As a standard User, you will not be able to directly control and make changes to your OHTTP-enabled service. Requests for service configuration changes can be submitted directly to Fastly via email@example.com.
We bill you for OHTTP Relay based on a combination of bandwidth (per GB) and requests (per 10,000) for content delivered to clients from Fastly and then for bandwidth for traffic sent from Fastly to your customers' origin.