Is a worker allowed to make requests to another worker?

I’m trying to setup a “catch-all” worker which acts in a similar way to a reverse proxy by looking at the URL path that’s been requested and then requesting content from a predefined application running on another worker within the same workers.dev subdomain. Reason is so the “catch-all” worker can apply consistent http headers, navigation and footer elements while requesting dynamic content from the appropriate web app on the other workers.

There isn’t an “origin” as such because everything will be served from workers. Also each webappx.subdomain.workers.dev worker looks for a special http header applied by the router. Any requests without the special header are dropped. This prevents a visitor from browsing directly to the webapps.

Is this setup possible with Cloudflare? I seem to have read that one worker cannot call another within the same workers.dev subdomain which seems very limiting and would make this architecture impossible without lots of different domains.

architecture

1 Like

You can’t call another Worker in the same zone, be it workers.dev (not sure if it’s per subdomain or the whole thing) or your own, but…

You can call other domains’ Workers. So this structure can be done with a worker on a domain you own (or on the workers.dev subdomain) and then call the other via their workers.dev URL (or on another domain you own). The important thing is that each layer is on a different domain from the previous, but you can simply alternate between two, example.com and example.workers.dev.

3 Likes

I wonder what’s the reason behind this decision. If workers are meant to be small and doing one job, this limitation kind of pushes you to the opposite.

This has been a long-standing issue, because of how the network handles request security and SSL, they cannot know who sent the request and from where if it’s from within the internal network. In other words, a request needs to go through the domain layer to be able to work, if it’s within the same zone, it bypasses the domain layer.

2 Likes

Maybe cf can provide some api that will allow you to make the call “from outside”.
For example, provide some proxy that routes the requests from one worker to another while getting it out of the zone and back inside.
This is until the more fundamental issues is resolved.
I found this as a major limitation multiple times, and ended up bloating one worker with multiple concerns.
Keeping up in the same direction, i might reach the 1mb limitation.

בתאריך יום ה׳, 17 ביוני 2021, 09:57, מאת thomas4 via Cloudflare Community ‏<[email protected]>:

| thomas4 MVP '20 - '21
June 17 |

  • | - |

This has been a long-standing issue, because of how the network handles request security and SSL, they cannot know who sent the request and from where if it’s from within the internal network. In other words, a request needs to go through the domain layer to be able to work, if it’s within the same zone, it bypasses the domain layer.


Visit Topic or reply to this email to respond.


In Reply To

| dan27
June 17 |

  • | - |

I wonder what’s the reason behind this decision. If workers are meant to be small and doing one job, this limitation kind of pushes you to the opposite.


Visit Topic or reply to this email to respond.

To unsubscribe from these emails, click here.

1 Like

Agreed @dan27. Would be great if there was some kind of way to force Cloudflare to route the request “outiside” and back in again- perhaps an option inside the cf: {} options object on a Request.

So I’m not entirely sure, but are you implying here that we can always call our workers on their workers.dev domains (as opposed to a custom domain) and this should work?

Not exactly, you call the custom domain, which calls the workers.dev one, which calls the custom domain, etc.

There’s a beta feature called services for this, but while I’m on waitlist is a subdomain separate zone because I need cache which dev doesn’t have.

The problem with using \*workers.dev\* happens when making web app firewall rules which requires a page. Zone lockdowns by subdomain are for pros and not free[ly available]. So the scavengers have to use two domains.

You would use About Service bindings · Cloudflare Workers docs to communicate between two of your own Workers, not by using cross-zone fetch.

1 Like