How do you resolve a hostname in a worker?

I want to resolve the hostname to an IPv4 address for security reasons so that I can make sure that the IP address of the origin server is the same as the remote IP address.

For example my site is example.com and I have my registrar pointing to Cloudflare’s nameservers which proxies requests to that hostname. Now I want a script on example.com’s origin server to make a request to a Cloudflare worker. The worker must check that the remote IP address of the request matches example.com’s origin server’s IP.

It seems like I can use event.request.headers.get(“CF-Connecting-IP”) to get the remote IP but I don’t know how to confirm that it is the right IP address matching the origin server from the request URI.

How do I do this?

You could use DNS-over-HTTPS to do the resolution. Cloudflare offers it, but many others do offer it as well.

1 Like

Won’t I just get Cloudflare’s IP addresses if I do that? I need the IP address of the origin server.

I guess API call to Cloudflare to fetch the record? But wouldn’t it be easier to just use a valid certificate and monitor the issuance of those? :slight_smile:

Hi @Flanders

You are rightfully concerned about the security for verifying the origin server is making the request to your Worker but I think you have assumed the wrong method to accomplish this.

Trying to compare the IP address making the request with a pre-saved “trusted IP” isn’t the right solution. For starters its hard to do this with Workers because the Workers seemingly have no concept of IP.

First of all, can you elaborate a bit more about what kind of request your origin is making to your Worker. Is this a WebHook scenario or a scheduled task scenario, or something else?

To verify only trusted servers are making requests to your Worker is a case where you can utilise cryptography & signing.

I would refer you to see this post which gives a simplified example of using HMAC to verify the authenticity of WebHook requests sent by Shopify.

Comparing Shopify HMAC in Cloudflare Workers

If you need assistance to adapt the above linked Shopify HMAC verification to your scenario then ask me.

If however you really do need to compare the IP then please explain your scenario in more detail and I’ll show you how you can get the IP within Workers.

It’s a scheduled task. I am familiar with cryptography & signing but I decided to just use a password so that I can trigger the task from a web browser if needed. But thanks so much for the idea.

But to anyone still looking for an answer to this question about how to get the IP address of the origin server from within the worker, I found this solution:

https://api.cloudflare.com/#dns-records-for-a-zone-list-dns-records

Thanks to matteo for getting me started.

1 Like

You could put Access in front, so that you need to sign in with an SSO provider, or similar, to access the page. If this is compatible with your solution.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.