Cloudflare Developers•2y ago

Referring to the CloudFlare email variables

Flare•3/2/24, 4:16 PM

Reminder for @HardlyWorkin': workers-and-pages-discussions
Set March 2, 2024

StepqenOP•3/2/24, 4:16 PM

For example, the senders email, the subject / body of the email

Flare•3/2/24, 4:16 PM

Reminder for @bun: #workers-discussions
Set March 2, 2024

SStepqen Referring to the CloudFlare email variables

Hello, I’m Allie!•3/2/24, 4:18 PM

This is the data you can pull out: https://developers.cloudflare.com/email-routing/email-workers/runtime-api/#syntax-es-modules. For the body, you could pass message.rawmessage.raw into a Response object to parse it as text

Cloudflare Docs

Runtime API · Cloudflare Email Routing docs

An EmailEvent is the event type to programmatically process your emails with a Worker. You can reject, forward, or drop emails according to the logic …

StepqenOP•3/2/24, 4:18 PM

Thank you!

charlie•3/3/24, 12:40 AM

With the way that service bindings work, am I right to assume that it's safe to allow using the global

fetch

fetch

to user-provided URLs? I'm so used to that being a disaster in terms of SSRF that it feels wrong, but I think with workers it should be safe?

Ccharlie With the way that service bindings work, am I right to assume that it's safe to ...

Hello, I’m Allie!•3/3/24, 1:11 AM

Global Fetch doesn’t pass through service bindings, if that is what you mean, so I would be careful

charlie•3/3/24, 1:14 AM

Basically one of the things I'm going to need to build soon is outbound webhooks. With the new queue stuff it should be pretty straightforward to do. So unless I'm misunderstanding the security model, not going through service bindings should be what I want so that things like durable objects are inaccessible

charlie•3/3/24, 1:16 AM

I specifically don't want to be able to fetch any internal services

Ccharlie Basically one of the things I'm going to need to build soon is outbound webhooks...

Hello, I’m Allie!•3/3/24, 1:55 AM

Kind of? An external request should never be able to access any internal services directly, unless you naievely pass them through

Hello, I’m Allie!•3/3/24, 2:00 AM

But like, a valid pattern could be to pass a URL into a service binding, then having said binding make the call to a receiving server

charlie•3/3/24, 2:01 AM

Sorry, I don't think I explained very well. It won't be requests originating from the internet. Rather originating from within the worker. So it would basically be

- get webhook URL from DB
- build payload
- post payload to URL

But what I'm wondering is if the global fetch has any way of accessing anything other than the public internet and if it's safe to pass an untrusted URL

Ccharlie Sorry, I don't think I explained very well. It won't be requests originating fro...

Hello, I’m Allie!•3/3/24, 2:02 AM

It would also have firewall-free access to your origin, if you have one

Hello, I’m Allie!•3/3/24, 2:02 AM

But no, it can’t interact with your bindings

charlie•3/3/24, 2:02 AM

Ah there would be no origin

charlie•3/3/24, 2:03 AM

And I also just found this

First, we can now restrict the global fetch() function to accept only publicly-routable URLs. This makes applications totally immune to SSRF attacks! You cannot trick an application into accessing an internal service unintentionally if the code to access internal services is explicitly different.

from here https://blog.cloudflare.com/workerd-open-source-workers-runtime

The Cloudflare Blog

Introducing workerd: the Open Source Workers runtime

workerd is the JavaScript/Wasm runtime code that powers Cloudflare Workers, now open source under the Apache 2.0 license.

charlie•3/3/24, 2:04 AM

Sounds almost too good to be true haha. This is going to be the easiest implementation ever

Ccharlie Sounds almost too good to be true haha. This is going to be the easiest implemen...

Hello, I’m Allie!•3/3/24, 2:06 AM

Note though that this is specifically for the Workers runtime, and not the Workers Product. While you can configure the runtime to allow access to internal services, on Workers itself this should not be possible

Hello, I’m Allie!•3/3/24, 2:06 AM

Not least since said internal services aren’t really yours to access either

charlie•3/3/24, 2:08 AM

Yep, the restriction of not being able to access anything internal is exactly what I want

kian•3/3/24, 2:08 AM

Are you referring to using Cloudflare Workers or hosting https://github.com/cloudflare/workerd yourself?

charlie•3/3/24, 2:09 AM

Using cloudflare workers. No origin - just a queue consumer which makes the fetch

Unsmart•3/3/24, 2:15 AM

If you have a worker with a route assigned to it, you can fetch it because its a public url. But if you dont have any public urls they its only requestable through bindings which you can kinda compare to being a VPC from a traditional perspective

charlie•3/3/24, 2:18 AM

Yeah, the worker I'm going to setup for sending these webhooks won't have any public routes so I'm not worried about incoming requests. In the past I would have used something like https://github.com/stripe/smokescreen but with the way the service bindings are separated it seems that's not a concern here

GitHub

GitHub - stripe/smokescreen: A simple HTTP proxy that fogs over nau...

A simple HTTP proxy that fogs over naughty URLs - GitHub - stripe/smokescreen: A simple HTTP proxy that fogs over naughty URLs

squizzy•3/3/24, 5:46 PM

hey everyone i am wondering that once you create/ set up the website on cloudflare is there a possible way for you to like have a html source and you can out html in that source and it will implement to your website? thanks

CChaika I would read this: https://discord.com/channels/595317990191398933/1204401951026...

Rayane•3/3/24, 5:49 PM

Thank you for your answer

The page functions is just a astro page in SSR. So if i get a lot of requests my website can be inaccessible ?

Joy•3/3/24, 5:58 PM

Hello everyone
I have a few endpoints in one of my CF workers. I want if someone hits /endpoint-A, I want to make an API call to the /endpoint-B. Is this possible to implement?
I tried it too, but it returns me this error

Joy•3/3/24, 5:58 PM

Screenshot_2024-03-03_at_11.26.26_PM.png

JJoy Hello everyone I have a few endpoints in one of my CF workers. I want if someone...

Cyb3r-Jak3•3/3/24, 10:35 PM

You probabaly want to use a service bind to make a worker calls itself https://developers.cloudflare.com/workers/configuration/bindings/about-service-bindings/

RRayane Thank you for your answer 🙏The page functions is just a astro page in SSR. So i...

Chaika•3/3/24, 11:17 PM

I wouldn't think a single SSR page would be nearly that high. Are you doing something heavy compute-wise, dependencies, or else?

CChaika I wouldn't think a single SSR page would be nearly that high. Are you doing some...

Rayane•3/3/24, 11:28 PM

Just use React and retrieve the query parameters of URL

CoreySeren•3/4/24, 1:10 AM

I got an email that I have exceeded 50% of daily usage limit for Cloudflare Workers KV , can I see a breakdown of what endpoints that is coming from?

CCoreySeren I got an email that I have exceeded 50% of daily usage limit for Cloudflare Work...

Chaika•3/4/24, 4:14 AM

not as far as I know. Can't even break it down per namespace. You'd probably be best looking at worker analytics of workers you know which are using KV, and the specific limit you are exceeding

Original message was deleted

Rayane•3/4/24, 6:45 AM

const url = Astro.url;
const params = new URLSearchParams(url.search);
const firstKey = params.entries().next();

AmaraFray•3/4/24, 11:56 AM

Hey guys, how do I prevent http floods on my workers endpoint?

AmaraFray•3/4/24, 12:04 PM

Okay, usually whats the best practices for configuring WAF?

AmaraFray•3/4/24, 12:06 PM

I'll give a bit more context, I have a mobile application, who's backend is entirely serverless on workers.

Ideally I'm not expecting to go beyond the workers paid plan of 10$ for the first year, but still would like to be open to scaling. It is connected to my (api.*) subdomain

AmaraFray•3/4/24, 12:07 PM

im not worried about authentication issues or such, but what I am worried about is someone pinging the server a million times and driving up my request counts

AmaraFray•3/4/24, 12:07 PM

I currently am using WAF to block access to anything that's not a valid endpoint

AmaraFray•3/4/24, 12:08 PM

(I should mention it's my first time worrying about things like this so I might be missing something very obvious, please do just share resources if i have to do some reading)

AAmaraFray I'll give a bit more context, I have a mobile application, who's backend is enti...

Hello, I’m Allie!•3/4/24, 12:17 PM

You need to identify what could separate a real user from an unwanted bot/crawler. This is a bit more difficult, issuing to the fact you don't want to(and probably can't) spawn a captcha in response to an interaction. If your app only operates in certain regions, block all other regions. If your app is only to be used on client devices, block datacenter IPs.

HHello, I’m Allie!You need to identify what could separate a real user from an unwanted bot/crawle...

AmaraFray•3/4/24, 12:19 PM

Alright, firebase has something called app check? is there something similar for cloudflare i could implement?

AAmaraFray Alright, firebase has something called app check? is there something similar for...

Hello, I’m Allie!•3/4/24, 12:20 PM

Not by ddefault, though you may be able to build something similar with WAF rules manually

HHello, I’m Allie!Not by ddefault, though you **may** be able to build something similar with WAF ...

AmaraFray•3/4/24, 12:51 PM

Okayy I'll try to research into that, any resources i can look at?

AAmaraFray Okayy I'll try to research into that, any resources i can look at?

Hello, I’m Allie!•3/4/24, 12:52 PM

Maybe https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/ ?

The Cloudflare Blog

Private Access Tokens: eliminating CAPTCHAs on iPhones and Macs wit...

Today we’re announcing Private Access Tokens, a completely invisible, private way to validate that real users are visiting your site.

Hello, I’m Allie!•3/4/24, 12:52 PM

Don't know if they actually cover implementation there

AmaraFray•3/4/24, 12:52 PM

thank youu, will look at it!

HHello, I’m Allie!You need to identify what could separate a real user from an unwanted bot/crawle...

AmaraFray•3/4/24, 12:53 PM

also how can I go about blocking datacenter IPs?

AAmaraFray also how can I go about blocking datacenter IPs?

Hello, I’m Allie!•3/4/24, 12:54 PM

You could find the Autonomous System Number of the big datacenter providers, and block by them?

Autonomous system (Internet)

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet. Each AS is assigned an autonomous system number (ASN), for use in Borde...

AmaraFray•3/4/24, 12:55 PM

okay alright! So this all has to be hardcoded into the WAF expression correct?

Referring to the CloudFlare email variables

Similar Threads

Similar Threads

Similar Threads