将Cloudflare身份验证的原产拉取与GCP Cloud Run一起使用 [英] Use Cloudflare Authenticated Origin Pull with GCP Cloud Run

问题描述

我想将Cloudflare放在Cloud Run上托管的API的前面.我想确保我的Cloud Run应用程序仅接受来自Cloudflare的连接(以避免绕过Cloudflare中的DDoS缓解+速率限制).

I'm wanting to put Cloudflare in front of my API hosted on Cloud Run. I'd like to ensure my Cloud Run app only accepts connections from Cloudflare (to avoid bypassing DDoS mitigation + rate limiting in Cloudflare).

有什么方法可以使用Cloudflare的经过身份验证的来源通过Cloud Run拉动?

Is there any way to use Cloudflare's Authenticated Origin Pulls with Cloud Run?

也欢迎实现相同效果的其他解决方案-但是关键是我不希望来自非Cloudflare来源的流量触发Cloud Run调用(否则DDoS可能导致计费高峰).因此，在Cloud Run应用程序内部过滤流量为时已晚，已经发生了调用.

Other solutions that achieve the same effect are welcome too - however the key is I don't want traffic from non-Cloudflare sources to trigger a Cloud Run invocation (otherwise a DDoS could result in billing spike). Thus, filtering traffic inside the Cloud Run app is too late, an invocation has already occurred.

似乎可能有一种方法可以在HTTPS负载平衡器+ Cloud Armor上添加IP白名单，并且只允许来自Cloudflare的IP的请求...但是我宁愿不开始附加其他两项服​​务并添加$$只是为了实现这一目标.

Seems like there may be a way to add on HTTPS Load Balancer + Cloud Armor to do IP whitelisting and only allow requests originating from Cloudflare's IPs...but I'd rather not start tacking on two other services and add $$ just to achieve this.

推荐答案

Google Cloud Run支持两种授权机制:未经身份验证(任何人/公共)和OAuth客户端ID.Cloudflare的Origin Pulls使用TLS证书，这意味着您的Cloud Run应用程序需要验证证书，因为Google的前端不支持此证书.这将无法实现防止未经授权调用Cloud Run的目标.

Google Cloud Run supports two authorization mechanisms: unauthenticated (anyone/public) and OAuth Client ID. Cloudflare's Origin Pulls use TLS certificates, which means your Cloud Run application would need to verify the certificate as Google's Frontends do not support this. This would not accomplish your goal of preventing unauthorized invocations of Cloud Run.

总而言之，除非您的服务使用OAuth客户端ID进行授权，否则除非限制实例的最大数量，否则没有其他方法可以阻止Cloud Run服务调用.如果您配置了未经身份验证的访问，则调用您的服务端点的任何人都将成功调用您的服务或执行重复的请求.

In summary, unless your service is using OAuth Client IDs for authorization, there is no method to prevent Cloud Run service invocations except by limiting the maximum number of instances. If you have configured unauthenticated access, anyone calling your service endpoint will succeed in invoking your service or executing an overlapped request.

这篇关于将Cloudflare身份验证的原产拉取与GCP Cloud Run一起使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！