Hacker News new | ask | show | jobs
by capableweb 1119 days ago
> Could you elaborate on how you identified the traffic as cloudflare workers?

Trivial based on the fact that HTTP requests coming from CloudFlare Workers has a cf-worker header. Also, any traffic coming from cloudflare-owned IP blocks clearly belongs to cloudflare and can be safely blocked.
2 comments
InvaderFizz 1119 days ago
On the second point, with the introduction of Cloudflare WARP VPN, that's not quite true. Additionally, I believe Safari Private Relay may end up looking like it originates from CF as well.
link
ignoramous 1119 days ago
> Additionally, I believe Safari Private Relay may end up looking like it originates from CF as well.

Cloudflare reserves IP ranges just for Private Relay: https://developer.apple.com/support/prepare-your-network-for...

link
KomoD 1119 days ago
> and can be safely blocked.

Well no, not if you yourself are also using Cloudflare

link
Manouchehri 1118 days ago
You can block third party Workers with a CF WAF rule. Here's an example:

cf.worker.upstream_zone ne "" and not cf.worker.upstream_zone in {"aimoda.workers.dev" "ai.moda"}

link
capableweb 1119 days ago
You mean like server<>server communication? Hopefully that communication stays within the network rather than going from server<>internet<>server
link
KomoD 1118 days ago
I mean if you are using Cloudflare with their proxy, so origin<>cloudflare<>client
link
capableweb 1118 days ago
Yeah, then you'd just block based on the client IP which is in a header, rather than the IP on the connection.
link