I want to resolve the hostname to an IPv4 address for security reasons so that I can make sure that the IP address of the origin server is the same as the remote IP address.
For example my site is example.com and I have my registrar pointing to Cloudflare’s nameservers which proxies requests to that hostname. Now I want a script on example.com’s origin server to make a request to a Cloudflare worker. The worker must check that the remote IP address of the request matches example.com’s origin server’s IP.
It seems like I can use event.request.headers.get(“CF-Connecting-IP”) to get the remote IP but I don’t know how to confirm that it is the right IP address matching the origin server from the request URI.
You are rightfully concerned about the security for verifying the origin server is making the request to your Worker but I think you have assumed the wrong method to accomplish this.
Trying to compare the IP address making the request with a pre-saved “trusted IP” isn’t the right solution. For starters its hard to do this with Workers because the Workers seemingly have no concept of IP.
First of all, can you elaborate a bit more about what kind of request your origin is making to your Worker. Is this a WebHook scenario or a scheduled task scenario, or something else?
To verify only trusted servers are making requests to your Worker is a case where you can utilise cryptography & signing.
I would refer you to see this post which gives a simplified example of using HMAC to verify the authenticity of WebHook requests sent by Shopify.