Security concern about HTTP request in worker


#1

I use ip firewall on Nginx to whitelist Cloudflare IPs and only allows my domains, so even if others know my origin IP, they cannot perform L7 DDOS attack. However, with worker, others can make request to my server directly via Cloudflare network. I think that might break cloudflare’s rate limit, etc. Fetch API might be safe because it cannot set Host header, but I am still worrying. This also related to Re-Write Host feature (though it is only available for Enterprise plan).


#2

Hi @ze3kr,

If someone else’s Worker makes a request to your domain, the request will be treated just like it had come from an external client. All the usual Cloudflare security checks, rate limiting, and other features will be applied. Don’t worry, we thought carefully about this. :slight_smile:

Of course, as always, your origin server needs to verify that the Host header matches your domain. Otherwise, anyone who knows your IP could simply configure their own DNS entries to list your IP as their origin – this would allow them to generate requests with the Host header listing their domain instead of yours (no need for a Worker), but as long as your origin rejects such requests, you should be OK. (Another way to protect against this is to use Cloudflare Warp – this way, your origin doesn’t need to have a public IP at all.)

You mention the “host header rewrite” page rule. This rule is intentionally restricted to enterprise customers, and its usage is monitored, due to the potential for abuse. Note that this feature is not related to Workers, and there is intentionally no way to do a similar thing in a Worker.


#3

@KentonVarda
So the HTTP request made by JacaScript is restricted (which is quite different than other programming language), it cannot remap the DNS nor change the Host header.

The “related to” means worker can do the same thing, it can also rewrite host to serve S3 bucket for example. But now I know the difference: The worker will perform HTTP request like normal client, follows rate limits and firewall, and Re-Write Host could break those limits.

I am also curious is that possible to change CF-Connecting-IP header in JS? That’s also a potential threat. What’s more, will the IP block settings work for request made by worker?


#4

So the HTTP request made by JavaScript is restricted (which is quite different than other programming language), it cannot remap the DNS nor change the Host header.

More precisely, both the Host header and the DNS lookup are based on the same request URL; they cannot be controlled independently. So, it’s impossible for a Worker to send a request to one server but with a Host header specifying a different server.

I am also curious is that possible to change CF-Connecting-IP header in JS? That’s also a potential threat.

A Worker can change this header, but if they are making a request to another zone, then, again, the request is treated like if it came from a client. If a client sends a request to Cloudflare containing CF-Connecting-IP, that header will be ignored and replaced with the client’s real IP. In this case, that will be the Worker’s IP address.

What’s more, will the IP block settings work for request made by worker?

Probably not. The Worker has its own IP, which you probably aren’t blocking. But, similarly, anyone can spin up a server on AWS or Digital Ocean to proxy requests in order to get around your IP block. Doing it with a Worker is similar.

With that said, if you believe that someone else’s Worker is malicious and trying to attack you, please contact our support team immediately – if they are indeed malicious, we will suspend them.


#5

This topic was automatically closed after 14 days. New replies are no longer allowed.