Billing and responsibility of proxied requests

I want to offer a worker-as-a-service to other Cloudflare users.

A CF user would upload a simple worker script that proxies requests to my CF worker script, basically doing a return fetch(request);. This allows them to use their own domain and HTTPS, and prevents code update issues in the future.

Some questions about this approach:

  1. Billing. How does billing work when proxying requests like this?

E.g. for a long running WebSocket connection to a durable object in my worker that was proxied from a customer account: do all the WebSocket messages get billed just for my account or for the worker that proxies them too? What about HTTP requests?

  1. Responsibility: if the customer uses my service to serve file types not supported (E.g. large video/media files), which account would CF close?

I have read a few instances where customers where on free accounts and somehow broke the terms and conditions and had their CF account closed. I do not want this to happen if just 1% of my users are serving large media files.

Thanks.

Please beware this use case may be against Cloudflare’s Terms of Service:

2.2.1 Restrictions

Unless otherwise expressly permitted in writing by Cloudflare, you will not and you have no right to:

(a) rent, lease, loan, export, or sell access to the Services to any third party, or sign up for the Services on behalf of a third party;

For this use case, I strongly setting up an Enterprise agreement with access to Workers for Platforms. This would also solve the issue of serving video since Enterprise customers aren’t restricted from that.

You are responsible for the traffic that goes through your account. So your account could be closed if your customers violate Cloudflare’s ToS.

Likely both accounts will be billed. Though I don’t exactly understand this use case.

2 Likes

If it helps, it may also be worth noting that your approach is uncommon/weird because there are CF Products to do this already, like Albert mentioned with Workers for Platforms

If you want your customers to upload their own Worker Code, then you want to use Workers for Platforms (WFP), which is Enterprise only right now, but I believe they may let you in if you explain your use case to them.

If your customers do not need to upload their own code, then use CF for SaaS: Workers as your fallback origin · Cloudflare for Platforms docs
CF for SaaS would let your customers cname to your site, and it handles issuing them a valid SSL certificate, works fine with Workers, etc.

The billing questions depend on the tier they are using, Bundled or Unbound. Bundled should just be the simple cost per request/message, flat. Unbound is requests + duration, but if you are just proxying it, I believe they shouldn’t have much duration: A Workers optimization that reduces your bill

1 Like

Thanks for the replies.

  1. For Workers for Platforms, who is responsible for the content served?

I am just concerned that it would be impossible to monitor all user traffic to make sure it complies with CF terms, and would not want my account shutdown over one malicious customer.

  1. Who should I be asking?

CF for SAAS would work, but my customers also need the ability to have instant-wildcard-subdomains. This looks to be an enterprise only solution.

  1. CF for SAAS requires one CNAME per subdomain, meaning my customers cannot just instantly route an arbitrary subdomain to a worker without setting up the DNS CNAME?

In the Cloudflare Community discord (Cloudflare Developers), the PM for Workers for Platforms has offered to give people access if you DM her your use case. WFP will eventually come to pay as you go as well. If your users don’t need to upload code though, then that won’t help you. WFP uses the same CF for SaaS/same limitations as far as I know.

No, it needs a binding on your end. You need to create the custom hostname (via api or dash) for them, and then they CNAME, it verifies and issues a cert.

CF for SaaS does require Enterprise for wildcard, and also for apex/root domain proxying (if the DNS Provider they are using isn’t Cloudflare/doesn’t support CNAMEs on root/apex), which is, unfortunately, a bit restrictive for some use cases.

1 Like

So WFH still cannot have wildcard subdomains without an Enterprise account (and must use a CNAME-per-subdomain)?

Thanks a lot - do you know how I would find her user handle?

Correct, WFP is just for running user code, I double-checked and it is just the same CF for SaaS/same limitations. You’d need Enterprise CF for SaaS for wildcards.

Tanushree#3489 - link to her message in the channel (if this works): Discord

1 Like