For Workes & Pages, what is the name of the domain?
/
What is the issue or error you’re encountering
How to secure (access to) workers at scale?
What steps have you taken to resolve the issue?
I am scoping out a service setup and workers/Cloudflare is one of the options (Lambda/AWS is too)
There are a bunch of questions I am trying to resolve and the docs have decent info, but not all:
- Is there a cheap/simple way to protect access to your worker, besides using Cloudflare access? or is that the only way?
- I found the rate limiting docs, but what can be done before traffic hits the worker?
- WAF rules could be an option, but not very scalable beyond a handful of workers
- We could keep an IP allow list, but how would we link know what IP has access to what worker?
- How do I secure a workers outgoing requests, beyond the workaround described here (Allow Restriction of Outbound Traffic from a Worker) that relies on logging ?
Thank you
An additional security concern is logging . Being able to store logs outside of the main account in a third party location would be essential.
From what I can understand the ability to easily push logs outside of the account is an enterprise only feature for most of Cloudflare products, which will be a hard sell when I present this for a security audit.
Workers does have Workers Trace Events Logpush support, albeit that the presentation is a bit confusing Logpush · Cloudflare Logs docs
Any other Cloudflare products I would use in conjunction with workers, eg WAF, R2, D1 would need enterprise to easily extract logs. Business plan access to this feature would make more sense I would think.
Also places an * on the ‘No data egress fees’ https://www.cloudflare.com/learning/cloud/what-are-data-egress-fees/
Cloudflare’s research has found that reducing or eliminating egress fees can save customers between 7.5% and 27% of their total monthly bill.*
*Except if they are logs