You need to identify what could separate a real user from an unwanted bot/crawler. This is a bit mor

You need to identify what could separate a real user from an unwanted bot/crawler. This is a bit more difficult, issuing to the fact you don't want to(and probably can't) spawn a captcha in response to an interaction. If your app only operates in certain regions, block all other regions. If your app is only to be used on client devices, block datacenter IPs.

HHello, I’m Allie!You need to identify what could separate a real user from an unwanted bot/crawle...

AmaraFray•3/4/24, 12:19 PM

Alright, firebase has something called app check? is there something similar for cloudflare i could implement?

AAmaraFray Alright, firebase has something called app check? is there something similar for...

Hello, I’m Allie!OP•3/4/24, 12:20 PM

Not by ddefault, though you may be able to build something similar with WAF rules manually

HHello, I’m Allie!Not by ddefault, though you **may** be able to build something similar with WAF ...

AmaraFray•3/4/24, 12:51 PM

Okayy I'll try to research into that, any resources i can look at?

AAmaraFray Okayy I'll try to research into that, any resources i can look at?

Hello, I’m Allie!OP•3/4/24, 12:52 PM

Maybe https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/ ?

The Cloudflare Blog

Private Access Tokens: eliminating CAPTCHAs on iPhones and Macs wit...

Today we’re announcing Private Access Tokens, a completely invisible, private way to validate that real users are visiting your site.

Hello, I’m Allie!OP•3/4/24, 12:52 PM

Don't know if they actually cover implementation there

AmaraFray•3/4/24, 12:52 PM

thank youu, will look at it!

HHello, I’m Allie!You need to identify what could separate a real user from an unwanted bot/crawle...

AmaraFray•3/4/24, 12:53 PM

also how can I go about blocking datacenter IPs?

AAmaraFray also how can I go about blocking datacenter IPs?

Hello, I’m Allie!OP•3/4/24, 12:54 PM

You could find the Autonomous System Number of the big datacenter providers, and block by them?

Autonomous system (Internet)

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet. Each AS is assigned an autonomous system number (ASN), for use in Borde...

AmaraFray•3/4/24, 12:55 PM

okay alright! So this all has to be hardcoded into the WAF expression correct?

AAmaraFray okay alright! So this all has to be hardcoded into the WAF expression correct?

Hello, I’m Allie!OP•3/4/24, 12:56 PM

No, at least not for Enterprise Customers: https://developers.cloudflare.com/waf/tools/lists/custom-lists/#lists-with-asns

Cloudflare Docs

Custom lists · Cloudflare Web Application Firewall (WAF) docs

A custom list contains one or more items of the same type (for example, IP addresses, hostnames, or ASNs) that you can reference collectively, by …

HHello, I’m Allie!No, at least not for Enterprise Customers: https://developers.cloudflare.com/waf...

AmaraFray•3/4/24, 12:57 PM

ah, cries in not enterprise thanks anyways!

AAmaraFray _ah, cries in not enterprise_ thanks anyways!

Hello, I’m Allie!OP•3/4/24, 12:58 PM

You can also block IPs/ranges

TTaurlon Could you foresee any negative implications of doing this? For example, legitima...

Hello, I’m Allie!OP•3/4/24, 12:59 PM

Maybe? If you block a regional ISP, then there is probably going to be issues. If the endpoint you are protecting is only ever meant to be accessed by mobile devices, then it should be reasonably safe to block datacenter IPs

Hello, I’m Allie!OP•3/4/24, 12:59 PM

There's always the risk that a user is using a VPS as a VPN, and thus will get blocked

Hello, I’m Allie!OP•3/4/24, 12:59 PM

But no security policy is perfect

AmaraFray•3/4/24, 1:00 PM

would this work? https://community.cloudflare.com/t/blocking-datacenters/317059

AAmaraFray would this work? https://community.cloudflare.com/t/blocking-datacenters/317059

Hello, I’m Allie!OP•3/4/24, 1:01 PM

Maybe? It would prevent registered bots from being blocked, but that still doesn't preclude someone running a small VPS

Hello, I’m Allie!OP•3/4/24, 1:01 PM

Which would be blocked

HHello, I’m Allie!Maybe? It would prevent registered bots from being blocked, but that still doesn...

AmaraFray•3/4/24, 1:02 PM

that's a downside im willing to live with, thank you so much!

TTaurlon Per your follow-up comment, would those same risks apply to blocking IPs/ranges?

Hello, I’m Allie!OP•3/4/24, 1:03 PM

Sort of? It depends on how you collect the IPs in question

Hello, I’m Allie!OP•3/4/24, 1:03 PM

And also whether those IPs are shared across multiple tasks/users

HHello, I’m Allie!Maybe https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using...

AmaraFray•3/4/24, 1:09 PM

the implementation seems to be to use Turnstile? Is that what it is supposed to be or am I going down the wrong path?

AAmaraFray the implementation seems to be to use Turnstile? Is that what it is supposed to ...

Hello, I’m Allie!OP•3/4/24, 1:11 PM

You could do that? The Personal Access Token specifically only works on Apple devices, but Turnstile as a whole should work on anything with a mondern/standard-ish browser

HHello, I’m Allie!You could do that? The Personal Access Token specifically only works on Apple de...

AmaraFray•3/4/24, 1:11 PM

is it possible to integrate Turnstile onto mobile applications, dart to be specific?

AAmaraFray is it possible to integrate Turnstile onto mobile applications, dart to be speci...

Hello, I’m Allie!OP•3/4/24, 1:12 PM

You would have to embed it in a WebView. Atm I don't see a package for it on

pub.dev

pub.dev

, so you would have to do it yourself

HHello, I’m Allie!You would have to embed it in a WebView. Atm I don't see a package for it on `pu...

AmaraFray•3/4/24, 1:14 PM

yeah that's what I thought, I'll try to find alternatives till then. All workers are susceptible to flooding right? Does everyone just block datacenters and hope that no one else spams their server?

AmaraFray•3/4/24, 1:16 PM

a simple script like

for i in range(n):
  requests.get("x.y.z")

for i in range(n):
  requests.get("x.y.z")

is a threat?

kian•3/4/24, 1:19 PM

There are half a dozen different protections.

kian•3/4/24, 1:20 PM

Rate limiting is unmetered and free, as is the WAF.

kian•3/4/24, 1:20 PM

If you have an endpoint that expects an

Authorization

Authorization

header, you can reject requests without it in the WAF rather than your Worker and then your Worker would never be invoked for those requests.

kian•3/4/24, 1:21 PM

If you don't want them to be able to make more than 100 requests a minute, you can add that for free in rate limiting.

AmaraFray•3/4/24, 1:24 PM

Yeah this is the set up I have currently, apart from this is there anything I can do?

Jadugar_Jaggu•3/4/24, 2:20 PM

hey guys is anyone familiar with this issue? I am facing it right after automatic migration of my workers to standard pricing model
https://community.cloudflare.com/t/workers-unbound-has-not-yet-been-enabled-for-this-account/623732

vakno•3/4/24, 2:51 PM

I have multiple "children workers" that use HTMLRewriter() to change the HTML of response.
What I am trying to achieve is to trigger multiple workers with "parent worker".
I know you can use service bindings to bind another worker to it, but the problem I have is I need to run multiple workers and modify the responses accordingly.

For example: if I bind two child workers, one will change meta title (worker 1) and one meta description (worker 2).
What I need to achieve is firstly trigger worker1 with parent request, and then trigger worker 2 on response i get from worker 1, so i get all the HTML changes.

I have no problem getting response from worker 1, but I dont know how to combine worker 1 and worker 2 changes. What i tried is passing body of response from worker 1 to worker 2 fetch, like this:

    // Fetch the resource using childWorker1
    const childWorker1Response = await env.childWorker1.fetch(request.clone());

    // Fully consume the response body of childWorker1
    const childWorker1ResponseBody = await childWorker1Response.text();

    // Fetch a resource using childWorker2, passing the response body of childWorker1 as the POST body
    const childWorker2Response = await env.childWorker2.fetch(request.clone(), {
      method: 'POST',
      body: childWorker1ResponseBody
    });

    // Fetch the resource using childWorker1
    const childWorker1Response = await env.childWorker1.fetch(request.clone());

    // Fully consume the response body of childWorker1
    const childWorker1ResponseBody = await childWorker1Response.text();

    // Fetch a resource using childWorker2, passing the response body of childWorker1 as the POST body
    const childWorker2Response = await env.childWorker2.fetch(request.clone(), {
      method: 'POST',
      body: childWorker1ResponseBody
    });

But this does not seem to work.

Do you have any ideas what is wrong?
Any help would be greatly appreciated!

Vvakno I have multiple "children workers" that use HTMLRewriter() to change the HTML of...

Hello, I’m Allie!OP•3/4/24, 3:03 PM

Is there any reason why this couldn’t be a single Worker?

HHello, I’m Allie!Is there any reason why this couldn’t be a single Worker?

vakno•3/4/24, 3:05 PM

yes because i will need multiple workers to run with this parent workers on different urls. There would be too many combinations to handle

vakno•3/4/24, 3:13 PM

if i have 5 different child workers there will be 120 permutations

vakno•3/4/24, 3:13 PM

this is way too much to track and keep it organised

Vvakno yes because i will need multiple workers to run with this parent workers on diff...

Hello, I’m Allie!OP•3/4/24, 3:16 PM

I’m not sure I understand. Can you give me an example?

Vvakno I have multiple "children workers" that use HTMLRewriter() to change the HTML of...

Jadugar_Jaggu•3/4/24, 3:18 PM

i think instead of using request.clone() Just use request directly

Jadugar_Jaggu•3/4/24, 3:19 PM

so it will work as many times as you want

JJadugar_Jaggu i think instead of using request.clone() Just use request directly

Hello, I’m Allie!OP•3/4/24, 3:19 PM

That still wouldn’t combine the changes though

Hello, I’m Allie!OP•3/4/24, 3:19 PM

Only make two separate copies, and modifying both slightly

HHello, I’m Allie!I’m not sure I understand. Can you give me an example?

vakno•3/4/24, 3:21 PM

ok so i have 100 urls, on some i need to change meta titles, on some i need to change meta description, on some i need to change both, on some i need to change h1 to h2 and so on. I have like 6 seperate html changes i need to change on different urls.

If i want to make workers that cover all combinations i would need to create 720 different workers.

Vvakno ok so i have 100 urls, on some i need to change meta titles, on some i need to c...

Hello, I’m Allie!OP•3/4/24, 3:22 PM

Exactly, so why not a single Worker that does everything?

HHello, I’m Allie!Exactly, so why not a single Worker that does everything?

Jadugar_Jaggu•3/4/24, 3:23 PM

how you will use htmlrewriter to parse html and store it in a var?

I think we can only store a htmlrewriter response if we use it in a service worker and make a hit from parent

Jadugar_Jaggu•3/4/24, 3:24 PM

is there another way of doing it?

JJadugar_Jaggu how you will use htmlrewriter to parse html and store it in a var? I think we ...

Hello, I’m Allie!OP•3/4/24, 3:25 PM

Why would you need to store it? Why not just stream it back to the client once it has been modified?

You need to identify what could separate a real user from an unwanted bot/crawler. This is a bit mor

Similar Threads