CD
Cloudflare Developers4mo ago
ecc0

is it possible to interface tunnels with workers?

is it possible to make calls from workers to tunnels without necessarily exposing the tunnels directly to the internet via a domain?
18 Replies
Erisa
Erisa4mo ago
Not really, the closest you can get is protecting the tunnel hostnames with Access and adding a Service Token as a secret to the Worker
ecc0
ecc04mo ago
very interesting, i haven't worked with Access at all. can you give a quick summary of how that would be done? is there a library available to the workers that works with Access?
Erisa
Erisa4mo ago
You just create a Service Token: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/ And then add the ID and secret of the token to your Worker env/secrets and send all your requests with CF-Access-Client-Id and CF-Access-Client-Secret headers Its not the most perfect security in the world (relies on a static secret) but its as good as you can get
ecc0
ecc04mo ago
alright, i've figured out how to create a service token. and I think i can figure out how to set those headers. but how do i set a tunnel to be protected by the service token?
Erisa
Erisa4mo ago
As an aside, if you do this then make sure the tunnel Public Hostname as the "Protect with Access" option enabled has well as the Access policy existing https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#access-settings
ecc0
ecc04mo ago
ah, i see it:
No description
Erisa
Erisa4mo ago
Create a Self-hosted Access application covering the domain and create a policy with action "Service Auth"
No description
Erisa
Erisa4mo ago
You can then specify a certain service token in the "additional rules"
No description
Erisa
Erisa4mo ago
Or just yolo it and accept any:
No description
ecc0
ecc04mo ago
what about session duration?
Erisa
Erisa4mo ago
Its irrelevant for service auth policies
ecc0
ecc04mo ago
perfect, going to the tunnel in my browser is blocked. that's expected. tomorrow i will try through the worker
No description
ecc0
ecc04mo ago
many thanks :dogekek:
Erisa
Erisa4mo ago
Yep if the only policy is Service Auth then you get the nice Forbidden page
ecc0
ecc04mo ago
this is very convenient
Erisa
Erisa4mo ago
There is also a setting to redirect it to another page instead Under "Non-identity failure block page" in the Access application settings
Hello, I’m Allie!
Hello, I’m Allie!4mo ago
Can’t you also just WAF block everything that isn’t your Worker?
Erisa
Erisa4mo ago
Sure but you won't have the same added protections that you get from an Access JWT
Want results from more Discord servers?
Add your server
More Posts
Hyperdrive: Connect to closest PG database via DNSI connected Hyperdrive to a local Postgres RDS instance, and it works, but it's quite slow to query 🔒 | How to hide selected DNS records?# Hello! I need help. I would like to configure Zero Trust so that selected DNS records are only vis"frame" forwarding with workersi would like to know how to have a worker passthrough requests from my domain to another domain runnSveltekit does not get the platform variable when processing api requestHello I have a Cloudflare Pages App using Sveltekit and I want to integrate R2. I have configured mDisable https for specific api routes?I have an API which a very old game is trying to send data to. This old application (circa 2004) canWrangler authentication storeCould someone please tell me where Wrangler stores authentication data on Windows? I setup a basic pUsing a custom domain from a different cloudflare accountHello there, a simple query: Is it possible to add a custom domain (apex) to my Pages app when the Neel help regarding cloud flareI got this mail from CloudFlare "one or more of your domain encountered an unexpected increase in bHyperdrive not working on local environmentHi, I'm getting an error from hyperdrive. ```js ✘ [ERROR] When developing locally, you should use aRequesting visibility on this community post: Documentation clarity around verified bots / WAF rulesHeyo, just requesting visibility on this post I made over @ the community forum >_> https://communi