ASN Header

I’m currently getting visitors autonomous system numbers by doing a lookup when they connect to the socket. However, because I have some ASNs blocked in CF it must be the case that CF’s system is already doing this lookup ?

Is it not possible to pass that lookup result to the headers (similar to HTTP_CF_IPCOUNTRY) and save on resources.

Thanks.

Cloudflare’s systems can block complete network ranges just by adding the AS to block access to you content.

Not sure if I got it right:
You want Cloudflare to provide you with the ASN’s? For what reason? (technical background) :thinking: Help me, please :see_no_evil:

I mean, either you block specific ranges, or allow access. If you block it, the request will never reach your servers. I guess Cloudflare will not provide the result to you.

Why would you guess that they wouldn’t ?

I mean you can block by country code too, but they still provide the HTTP_CF_IPCOUNTRY.

The reason I do the lookup myself is because I may not want to challenge or block the ASN, but I still want to know if the ASN is in my own list of VPN, Cloud hosting, or even residential ISP networks, should I decide to allow different functionality or restrictions to those that are either whitelisted or blacklisted (or let us say greylisted).

No special reason. Just a “feeling” :slight_smile:

Now it makes sense to me. First I thought you mean the ASN of blocked requests
note to myself: stupid :joy:

I for myself do this locally, but for Spam Assassin.

I actually feel that they may not too :slight_smile: … but more so because it’s seems like a custom request that might not be widely used (unlike the country code).

Worst case is that I just carry on as I am, but in the interest of efficiency, it would be nice.

This is available to our enterprise customers, the same could probably be accomplished using Cloudflare workers which is a feature currently in beta.

Enterprise definitely isn’t an option for this specific (non-revenue) site, but out of interest is there a page/link with detailed lists of extras for different packages that I can view ?

I’ve read the compare features/plans page Our Plans | Pricing but I couldn’t see anything about headers and such.

I was going to make another product request, but now I’m reluctant to because it may just exist on another plan.

Please feel free to make any product requests you think of. Sometimes the feature differentiation between plans is uh… not rational… so there is always the possibility that feedback could change the mix on plan types.

There are a number of differences between our enterprise plan vs. other plans. Some of them are subtle, some obscure and some seemingly random. The most common ones I tend to discuss when working with my enterprise customers and partners are host header overrides and resolve overrides using page rules. Also, access to our enterprise log share (ELS) for detailed logging on requests.

The others can be more subtle and variable, such as increases in http timeouts, max file size uploads and maximum file size we will cache. Or custom code running on our edge to do something like sending the ASN in a header.

Sorry I couldn’t give you a cleaner answer, but please give us feature suggestions and use cases. I have sent links to a number of such requests to our product teams and developers to chew on since the forum launched.

1 Like

It’s two years later, but I had this exact same requirement. I was able to add an HTTP-X-ASN header to each request using the Worker code below (works on all CF plans). Now in my PHP server side code, I can now do things with this ASN by fetching it out of the headers.

There’s available an object called request.cf that has an attribute asn that has the AS number of each request. See this page for more info: Request · Cloudflare Workers docs

You add the worker to your account (it’s global, not per domain) and then in each domain, add a ‘route’ and assign this worker to it. It takes effect almost immediately. Also note that the request.cf object does not work in the Worker sandbox, it will generate errors. But it works in production.

Worker code:

indent addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  // Make the headers mutable by re-constructing the Request.
  newRequest = new Request(request)
  newRequest.headers.set('X-ASN', request.cf.asn)
  return await fetch(newRequest)
}
4 Likes

biz1, I’m going to take a close look at this, thank you for the new information.

This would still very much be a nice function to have for me.

Edit —

My only initial concern right now with this method is the 100k per day limit on the free option. It says that it will error if it is exceeded, so I’m wondering what affect that error would have on the site as a whole and whether I can catch it for a fall-back solution.

Also a warning – if your site(s) using Workers use more than 100,000 requests per day, you’ll have to upgrade to the $5/month plan for up to 10,000,000 requests per month, which I upgraded to.

Another important tip - when setting up your route using the free plan, there are two options when you run out of free daily requests – fail BLOCK or fail ALLOW. As soon as you run out of daily requests and your Worker is set to FAIL BLOCK, – ALL REQUESTS TO YOUR WEBSITE will be blocked. Make sure you have it set to FAIL ALLOW.

1 Like

is this code still working ?

when i copy paste it in the worker, i receive error

Uncaught (in response) SyntaxError: Unexpected identifier

any idea ?
Thanks

Yes, it works. As I noted in my post above:

" Also note that the request.cf object does not work in the Worker sandbox, it will generate errors. But it works in production."

I suggest you put it into production and see if the HTTP-X-ASN tag is being included in your request headers.

Wow, thanks for your fast answer.

i had to remove the “indent” and it worked once deployed.

Wow, I guess CF changed their worker syntax. I copied that from other worker code examples.

+1

I’ve wanted to see the ASN in the header for years. When my server gets hits hard from a distribution of IPs, it would be so helpful if I could quickly scan the log and see if they’re all from the same ASN. Cloudflare surely knows the ASN when it’s generating the request headers to my origin server, because it’s been available to my firewall rules, just as like the country is. It seems like it would be an easy, security-oriented feature to add. I can see why Cloudflare might not want to include this functionality, in order to keep the additional revenue from having to implement it in a worker, or to force an upgrade to the Enterprise plan.

I mean, you can do it in a Transform Rule which you get 10 of on the free plan?

The field is ip.geoip.asnum. Using a Worker is overkill for this & a waste of money IMO.

5 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.