for cloudflare tunnels exposed via public dns, how can i block any connections not from my worker zo

for cloudflare tunnels exposed via public dns, how can i block any connections not from my worker zone? i know i need to write a rule to check

cf.worker.upstream_zone

cf.worker.upstream_zone

cf.worker.upstream_zone

cf.worker.upstream_zone but not sure where

without this rule in place, im seeing a lot of stray requests hitting my http server

Mmatt for cloudflare tunnels exposed via public dns, how can i block any connections n...

Hello, I’m Allie!•3/16/25, 11:54 PM

You write it as a WAF Rule: https://developers.cloudflare.com/waf/custom-rules/

Cloudflare Docs

Custom rules · Cloudflare Web Application Firewall (WAF) docs

Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like Block or Managed Challenge on incoming requests according to rules you define.

mattOP•3/17/25, 12:17 AM

is there another option? i shouldn't have to "talk to a (sales) expert" just to write a single, simple firewall rule

mattOP•3/17/25, 12:20 AM

oh thats just for account-level WAF, not the same as zøne level WAF?

mattOP•3/17/25, 12:30 AM

in the docs, does this rule also allow non-worker requests?

not (cf.worker.upstream_zone in {"" "customer-zone.com"})

not (cf.worker.upstream_zone in {"" "customer-zone.com"})

if i wanted to allow only requests from workers in my zone, is this one more effective?

not (cf.worker.upstream_zone == "customer-zone.com")

not (cf.worker.upstream_zone == "customer-zone.com")

Mmatt in the docs, does this rule also allow non-worker requests? ``` not (cf.worker.u...

Cyb3r-Jak3•3/17/25, 12:34 AM

I believe you could do something like cf.worker.upstream_zone != "customer-zone.com"cf.worker.upstream_zone != "customer-zone.com"

mattOP•3/17/25, 12:39 AM

much cleaner, cheers

mattOP•3/17/25, 12:53 AM

just a quick docs bug on https://developers.cloudflare.com/ruleset-engine/rules-language/expressions/#compound-expressions

hosthost -> http.hosthttp.host

and also not sure if hostname should be string-quoted?

Mmatt just a quick docs bug on https://developers.cloudflare.com/ruleset-engine/rules-...

Cyb3r-Jak3•3/17/25, 1:08 AM

Could you file an issue on their GitHub? https://github.com/cloudflare/cloudflare-docs/issues/new?template=content.edit.yml

mattOP•3/17/25, 1:12 AM

done!

Greg•3/17/25, 3:19 AM

hey im seeing super weird behavior on a Pages project where seemingly random pages are getting redirected to my static projects 404 page even though the page built without issues, and looks normal when viewing page source from the browser. anybody run into this type of behavior before?

Greg•3/17/25, 3:22 AM

here's an example https://60e6c0e8.docs-bao.pages.dev/ensip/1/

I get a 200 response and a normal preview when pinging the page from a tool like HTTPie, but browsers are redirecting to my project's 404 page. I've tested deploying the same project to other platforms and it works as expected, so I believe its somehow related to Cloudflare

smalltalk96•3/17/25, 3:50 AM

Hello! How can I use the --remote--remote option with @Cloudflare/vite-plugin to run

npm run dev

npm run dev

Ssmalltalk96 Hello! How can I use the `--remote` option with @Cloudflare/vite-plugin to run `...

Hello, I’m Allie!•3/17/25, 4:30 AM

I don’t think you can

Salisu ahmed•3/17/25, 4:57 AM

HHello, I’m Allie!I don’t think you can

smalltalk96•3/17/25, 5:00 AM

Are there any alternatives for enabling remote binding under vite-plugin?

Ssmalltalk96 Are there any alternatives for enabling remote binding under vite-plugin?

Hello, I’m Allie!•3/17/25, 5:05 AM

Build your Worker and do wrangler dev —remotewrangler dev —remote?

smalltalk96•3/17/25, 5:21 AM

This will lose the convenience brought by using vite-plugin

Ssmalltalk96 This will lose the convenience brought by using vite-plugin 😞

Hello, I’m Allie!•3/17/25, 5:24 AM

The way the Vite Plugin works is that it runs the dev process in workerd. That doesn’t work for remote mode

Hello, I’m Allie!•3/17/25, 5:25 AM

And even if you could hook it together somehow, it would still be much slower, since you would need to wait for an upload of your entire dev script and all of your assets to complete

smalltalk96•3/17/25, 5:34 AM

I want the Worker to run locally while binding to a remote KV. Is this possible?

Ssmalltalk96 I want the Worker to run locally while binding to a remote KV. Is this possible?

Hello, I’m Allie!•3/17/25, 5:35 AM

It is not. You can seed the local KV store with some data before you start it?

smalltalk96•3/17/25, 5:38 AM

This is an environment-sensitive project, and the cost of simulating data is very high.

Salisu ahmed•3/17/25, 10:35 AM

@Hello, I’m Allie!

Silvan•3/17/25, 1:26 PM

does anyone know if @cloudflare/vite-plugin@cloudflare/vite-plugin is only for spas? or should it also work with like sveltekit? using it with svetekit i got errors so im not sure

SSilvan does anyone know if `@cloudflare/vite-plugin` is only for spas? or should it als...

Hello, I’m Allie!•3/17/25, 1:29 PM

IIRC the Developer Productivity team is planning to bring support to SvelteKit, but I don’t think it is quite ready for out-of-the-box support

Makima•3/17/25, 1:30 PM

what to do if these rules do not work and returns 308 Permanent Redirect?

Makima•3/17/25, 1:33 PM

I can't get video id from cloudflare pages

HHello, I’m Allie!IIRC the Developer Productivity team is planning to bring support to SvelteKit, ...

Silvan•3/17/25, 1:33 PM

okay perfect thanks for clarifying! i do have 1 more question tho because the docs are still fairly minimal.
Is this plugin what allows you to point your main entry to a normal ts file (worker) and still serve frontends? instead of needing a monorepo or smth?

Silvan•3/17/25, 1:35 PM

was probably silly to ask in that channel general-discussions

esselungo•3/17/25, 1:55 PM

I have a cloudflare pages with a branch developdevelop. When i access the site with develop.pages-XXX.devdevelop.pages-XXX.dev it works fine; however when I access it through a custom subdomain develop.subdomain.example.comdevelop.subdomain.example.com where I added a CNAME to develop.pages-XXX.devdevelop.pages-XXX.dev it doesn't show the preview branch just the master. DNS has been propagated for a few days
am I missing some settings here?

Eesselungo I have a cloudflare pages with a branch `develop`. When i access the site with `...

Chaika•3/17/25, 2:10 PM

Using external dns or CF Dns? Previews on custom domains only work with CF DNS

CChaika Using external dns or CF Dns? Previews on custom domains only work with CF DNS

esselungo•3/17/25, 2:10 PM

well I delegated a subdomain to cloudflare dns

esselungo•3/17/25, 2:11 PM

not the entire domain

Eesselungo well I delegated a subdomain to cloudflare dns

Chaika•3/17/25, 2:11 PM

Partial cname/Business setup or Partial ns/Ent setup?

CChaika Partial cname/Business setup or Partial ns/Ent setup?

esselungo•3/17/25, 2:12 PM

hm I am not sure about this; Is there a way to check which setup I have in place?
I registered two new NS records for my subdomain on my external dns setup then registered the parent domain in cloudflare dns and set some CNAME up

Eesselungo hm I am not sure about this; Is there a way to check which setup I have in place...

Chaika•3/17/25, 2:15 PM

you setup ns records for a subdomain in your external dns, and then added the parent domain in CF? That doesn't make sense for either
If you have Business plan, then cname partial setup is the only thing you could have done
You'd need Enterprise to do partial domain setup w/ delegated nameservers.
If you have neither, then you did something else lol. If you can share the subdomain of your attempt to do above, could see

saby•3/17/25, 7:23 PM

Hi, I want to kindly ask you what has changed with wrangler 4.0.04.0.0. When I tried to upgrade from 3.114.13.114.1, my github actions to deploy worker and pages are failing. With older version works well.

Attaching my github actions and error images

deploy-api-staging.yml2.16KB

deploy-next-staging.yml1.6KB

Ssaby Hi, I want to kindly ask you what has changed with wrangler `4.0.0`. When I trie...

James•3/17/25, 7:30 PM

The deprecated secret:bulksecret:bulk command was removed which is why this is failing for you now.

James•3/17/25, 7:30 PM

A fix was released in https://github.com/cloudflare/wrangler-action/releases/tag/v3.14.1

James•3/17/25, 7:33 PM

Dynamic importr syntax also changed a bit due to the esbuildesbuild version bump: https://developers.cloudflare.com/workers/wrangler/migration/update-v3-to-v4/#upgraded-esbuild-version

James•3/17/25, 7:33 PM

I'm not familiar with how next-on-pagesnext-on-pages uses those sadly - so if there's any problems there, you might need to file an issue on the next-on-pages repo.

saby•3/17/25, 9:02 PM

Ok thank you!

11984 Ford Laser Will the new Images binding be updated to allow more than 10 transforms per sour...

1984 Ford Laser•3/18/25, 1:01 AM

Just wanted to see if anyone can provide an update on this. The Images binding is limited to 10 draws in a single operation, whereas I can fit dozens into a single call when using the original URL-based method

bkyerv•3/18/25, 9:37 AM

when creating a new cf project using cli npm create cloudflare@latestnpm create cloudflare@latest at what point should I set/configure/press button/do something to select worker instead of pages project?

bkyerv•3/18/25, 9:38 AM

in other words how does one control what (workers or pages) the project ends up as when creating a cloudflare project?

bkyerv•3/18/25, 9:50 AM

so I created a project using above command and selecting a framework and got the logs as in the attached image that says compiled worker successfullycompiled worker successfully and I thought it was a worker project

bkyerv•3/18/25, 9:51 AM

however when I run

wrangler dev

wrangler dev

I got the following error: ✘ [ERROR] It looks like you've run a Workers-specific command in a Pages project.✘ [ERROR] It looks like you've run a Workers-specific command in a Pages project.

bkyerv•3/18/25, 9:51 AM

is pages and workers are names for the category that describes architecture of how the project was built?

bkyerv•3/18/25, 9:53 AM

I know immediate response most likely be like everything is in the docseverything is in the docs but still struggling to understand what the difference is. my goal now is to try to deploy a small web app using cloudflare workers

bkyerv•3/18/25, 9:53 AM

workers because that is what better-auth seems to support and not available in the pages

for cloudflare tunnels exposed via public dns, how can i block any connections not from my worker zo

Similar Threads

Similar Threads

Similar Threads