Using Workers with AWS S3

benKG · January 9, 2021, 2:09am

I have an AWS S3 Storage and i want to pass the access through cloudflare for later use on my website.

And i use this S3 Policy

"Sid": "PublicReadGetObject",
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::" + bucketName + "/*",
                "Condition": {
                    "NotIpAddress": {
                        "aws:SourceIp": [
                            "2400:cb00::/32",
                            "2405:8100::/32",
                            "2405:b500::/32",
                            "2606:4700::/32",
                            "2803:f800::/32",
                            "2c0f:f248::/32",
                            "2a06:98c0::/29",
                            "103.21.244.0/22",
                            "103.22.200.0/22",
                            "103.31.4.0/22",
                            "104.16.0.0/12",
                            "108.162.192.0/18",
                            "131.0.72.0/22",
                            "141.101.64.0/18",
                            "162.158.0.0/15",
                            "172.64.0.0/13",
                            "173.245.48.0/20",
                            "188.114.96.0/20",
                            "190.93.240.0/20",
                            "197.234.240.0/22",
                            "198.41.128.0/17"
                        ]
                    }
                }

The problem is that i cant access these bucket, because my worker is using different IPs. How can i solve that? I got the IPs from Cloudflare.

sdayman · January 9, 2021, 4:45am

@soldier_21 experimented with this a bit and noticed that his Workers requests all came from 2a06:98c0:3600::103, though it looks like you’ve got that covered in your list.

benKG · January 9, 2021, 5:09am

When i make a DNS lookup i get this from chelsea.ns.cloudflare.com

AAAA	2606:4700:3034::ac43:b106
AAAA	2606:4700:3031::681f:5eb8
AAAA	2606:4700:3037::681f:5fb8

sdayman · January 9, 2021, 2:06pm

2606:4700 is also covered by the list.

What would you be looking up in DNS due to inbound Workers traffic?

benKG · January 9, 2021, 5:06pm

By the way, when i remove the conditions it works.

How do i do this? Cant find something in the dashboard that shows me some kind of DNS inbound traffic. I can see a lot of metrics and data, but dont know how to check this.

I have done a lookup again and the IPv4 adresses arent in the list

104.31.95.184
104.31.94.184
172.67.177.6

Can i ask where these workers are running?

sdayman · January 9, 2021, 5:42pm

That would be at AWS.

Those are the Public IP addresses assigned to your domain.

On the edge nodes, generally using the IP addresses in cloudflare.com/ips

benKG · January 9, 2021, 6:41pm

The problem is that im not using Amazons S3 Service. I have a Provider here that hosts the AWS S3 Services on his own servers. They only allow to create and delete a bucket.

Update: Im thinking about it and its possible that something else is between cloudflare and my provider. Was that your thought? Im not sure, but maybe some kind of proxy or something.

benKG · January 11, 2021, 1:23pm

I wrote my Provider and he cant help me. The have no clue or they just dont want to help, dont know.

benKG · January 12, 2021, 12:54am

Sorry for make a post again. @sdayman im still working on it.

At the moment i try to set x-forword-for in the headers of the request in the worker. For that i need the ip of the worker. For that i found https://www.cloudflare.com/cdn-cgi/trace

The weird thing is that i get this ip address in the console.log
34.122.118.162

Is that the ip of the worker? Im sure im doing something wrong. How can i try to set the x-forward-for header with an ip out of the list?
I use it in my worker now. My worker code looks like this.

    addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request));
})

function text(url) {
  return fetch(url).then(res => res.text());
}

async function handleRequest(request) {
  const url = "URLTOPROVIDER"
      + new URL(request.url).pathname;
  text('https://www.cloudflare.com/cdn-cgi/trace').then(data => {
    const regexv4 = /[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/;
    const regexv6 = /(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/
    let ip = null;
    ip = data.match(regexv4)[0];
    if (ip === '') {
      ip = data.match(regexv6)[0];
    }
    console.log(ip);
  })
  const req = new Request(url, request);
  return await fetch(req);
}