可以使用Cloudflare缓存并保护REST API吗？ [英] Can one cache and secure a REST API with Cloudflare?

问题描述

我正在设计一个RESTful API，旨在供单页面应用程序和本机移动应用程序使用。对该API的某些调用返回可缓存一定时间的公共结果。此外，还需要速率保护，以保护API免受未经授权的用户（蜘蛛）的侵害。

I am designing a RESTful API that is intended to be consumed by a single-page application and a native mobile app. Some calls of this API return public results that can be cached for a certain time. Moreover, there is a need for rate protection to protect the API against unauthorized users (spiders)

缓存： Cloudflare 支持HTTP缓存控制标头，因此API可以为通过GET请求的每个实体决定是否公开和

Caching: Cloudflare supports HTTP cache control headers so the API can decide for each entity requested via GET whether is public and how long it can be cached.

• 但是不清楚是否将缓存控制标头也传递给下游到客户端，这样还会触发浏览器缓存响应吗？这可能不是所希望的，因为这可能会使故障排除更加困难


• Akamai的 Edge-Control标头，以确保内容缓存在CDN中，而不缓存在浏览器中。 有人可以对Cloudflare做类似的事情吗？

• However it is not clear whether the cache control header is also passed downstream to client, so will also trigger the browser to cache the response? This may not be desirable, as it could make troubleshooting more difficult
• Akamai has an Edge-Control header to ensure content is cached in CDN but not the browser. Can one do something similar with Cloudflare?

DDOS保护： Cloudflare支持有一篇文章建议禁用DDOS保护后端API ，但这不适用于我的用例，在该用例中，每个客户端应该很少向API发出请求。原生的DDOS保护实际上符合我保护API免受机器人攻击的要求。

DDOS Protection: Cloudflare support has an article recommending that DDOS protection be disabled for backend APIs, but this does not apply to my use case where each client is supposed to make few requests to the API. The native DDOS protection actually fits my requirements for protecting the API against bots.

• 我需要知道如何以编程方式检测Cloudflare何时提供 Captcha / 我受到攻击等页面。然后，这将允许SPA /移动应用做出明智的反应，并重定向用户进入一个可以显示其谦虚的Web视图。

• I need to know how I can programatically detect when Cloudflare serves a Captcha / I'm under attack etc. page This would then allow the SPA / mobile app to react intelligently, and redirect the user to a web view where she can demonstrate her "hummanness".

从Cloudflare文档中，当DDOS质询时，发送什么HTTP状态代码并不明显被表达。开源 cloudscraper 绕过Cloudflare DDOS保护似乎表明验证码和质询页的HTTP状态为200。是否有比解析请求正文更好地了解DDOS保护是否起作用的方法？

From Cloudflare documentation, it is not obvious what HTTP status code is sent when a DDOS challenge is presented. An open-source cloudscraper to bypass Cloudflare DDOS protection seems to indicate that Captcha and challenge pages are delivered with HTTP status 200. Is there a better way than parsing the request body to find out whether DDOS protection kicked in?

Cloudflare 显然使用cookie 来记录谁成功解决了验证码。显然，这会为本地应用程序带来额外的复杂性。 解决挑战后，是否存在将Cloudflare会话Cookie传输回本机应用程序的好方法？

Cloudflare apparently uses cookies to record who solved the Captcha successfully. This obviously creates some extra complexity with native apps. Is there a good way to transfer the Cloudflare session cookies back to a native app after the challenge has been solved?

这可能是Cloudflare的高级用例-但我认为这很有希望，并且很高兴听到有人在Cloudflare或其他CDN上有类似的经验。

Probably this is something of an advanced Cloudflare use case - but I think it's promising and would be happy to hear if anyone has experience with something like this (on Cloudflare or another CDN).

推荐答案

Cloudflare已发布与API结合使用的最佳做法列表。

Cloudflare has published a list of best practices for using it with APIs.

TL; DR，他们建议设置修补所有API请求的页面规则，并在其上进行以下设置：

TL;DR, they recommend setting a page rule that patches all API requests and putting the following settings on it:

1. 缓存级别：


2. 始终在线：关闭


3. Web应用程序防火墙：关闭


4. 安全级别：除了我受到攻击之外的所有内容


5. 浏览器完整性检查：关闭

1. Cache Level: Bypass
2. Always Online: OFF
3. Web Application Firewall: OFF
4. Security Level: Anything but "I'm under attack"
5. Browser Integrity Check: OFF

这篇关于可以使用Cloudflare缓存并保护REST API吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！