Workers fundamentally don't have distinct IP addresses. This is not the actual address of any Cloudflare machine. * The IP address 2a06:98c0:3600::103, mentioned in the article as appearing in the CF-Connecting-IP header, is a special IP address that is used for all cross-zone requests that come from Workers. X-Forwarded-For seems to have more complicated and subtle behavior that I'm not familiar with. CF-Connecting-IP has always been the header we use to identify the client IP, and it cannot be forged. ~~The article claims that the X-Forwarded-For header can be forged, but this is not true if the target host is itself a Cloudflare customer.~~ĮDIT: What I said about X-Forwarded-For seems to be incorrect. If a customer suspects abusive requests coming from Workers, they should report it to us. If a Worker makes a request to a hostname that is on Cloudflare, then all of the target host's Cloudflare security settings will apply to that request the same as if the request came from an external client.Īdditionally, as mentioned in the article, any requests coming from a Worker will have the CF-Worker header identifying the zone which sent the request. Instead of IP-based authentication, we strongly recommend using mTLS-based authenticated origin pulls (with a zone-specific key pair) or Argo Tunnel, as these methods are much more secure.Īs long as the origin server is verifying via one of the above means (IP+host header, AOP, or Argo Tunnel) that the request was processed by Cloudflare on behalf of the customer's zone, then the attack described in the article doesn't accomplish anything. Fundamentally, the CDN has no way of knowing if the origin server that a user has configured really belongs to them - the CDN can only tell the origin (via the Host header) what customer it thinks it is serving, and expect the origin not to accept requests that were on behalf of a different customer. This attack has always been possible and is common to basically all CDNs. Workers is not needed for such an attack. If they do not verify the Host header, then anyone can sign up for Cloudflare and simply configure their DNS to point to the victim's origin IP address, and requests will be routed there - but will have the attacker's domain in the Host header. If a Cloudflare customer has configured their origin server to respond only to Cloudflare IPs, then they MUST also verify that the "Host" header on any request actually matches their domain name. This article contains several misunderstandings. Hi, I'm the tech lead of Cloudflare Workers.
0 kommentar(er)
