Cloudflare worker IP denied access when using zone lockdown


#1

We have a development site up with “Zone Lockdown” (in the Firewall tab) to prevent public access to the dev site. The problem is that we would now like to test some cloud workers on this dev site, but the fetch() calls are being treated as unauthorized requests, because the IP from which the cloud worker is running is being blocked. (The error is Error 1106, Access denied, “The owner of this website (www.demosite.com) has banned your IP address”). I also tried accessing the IP address of the origin server directly but got a different error (Error 1003, Direct IP access not allowed).

What is the best way to work around this issue? I could determine what IP the Cloudflare worker is connecting from and allow that in the firewall, but is that a static IP that would that continue to work in the future? Is there any other way to reliably allow Cloudflare workers to make HTTP requests to URLs on the same site that the worker is running on?


#2

Interesting issue. Interested as well.

Any info @KentonVarda and @zack?


#3

An alternative work around would be to disable the “Zone Lockdown” feature, and do access control in your worker.


#4

Thanks @martin2. I guess that could work, but this worker is tied to a specific route. So I assume that would mean creating a worker using a wildcard route to do access control for the whole site.


#5

I think actually you can disable the lockdown for certain paths.

As far as I remember, you should be able to create a page rule with ‘Disable Security’ on. Should apply to lockdown as well.


#6

Disable Security prevents other security features too, though. It would be losing something and gaining something else.


#7

A “disable security” rule does in fact disable zone lockdown, thanks. I was hoping for a more general solution (i.e. globally allowing Cloudflare workers through the firewall), but this is helpful.


#8

There’s another issue with the “Disable Security” rule: it apparently changes how routing/proxying works, specifically the “Resolve Override” rule. I was able to get the CF worker to work, but then I tried to temporarily enable public access to the page (to test social media sharing) but it didn’t work because this page is relying on the “Resolve Override” rule to proxy traffic to a different server. I could go into more details but I think it’s already clear that the “Disable Security” rule is not an ideal solution to this issue.