Skip to content

Strip CF-Connecting-IP header from all outbound requests#7914

Merged
penalosa merged 9 commits intomainfrom
aj/strip-cf-connecting-ip-header
May 12, 2025
Merged

Strip CF-Connecting-IP header from all outbound requests#7914
penalosa merged 9 commits intomainfrom
aj/strip-cf-connecting-ip-header

Conversation

@andyjessop
Copy link
Contributor

@andyjessop andyjessop commented Jan 27, 2025
edited by penalosa
Loading

Fixes #7835, #7924

Strip the CF-Connecting-IP header from outbound requests.

This cannot be effectively tested in CI because it interacts badly and in strange ways with bot management and various other protections. To test manually:

  • Create a hello world worker (or use fixtures/worker-ts)
  • Add return fetch("https://www.cloudflare.com", request) to the Worker
  • Run wrangler dev
  • With this PR, validate that the Cloudflare landing page is returned
  • Without this PR (pnpx wrangler@latest dev), validate that an error page is returned
  • Tests
    • TODO (before merge)
    • Tests included
    • Tests not necessary because:
  • E2E Tests CI Job required? (Use "e2e" label or ask maintainer to run separately)
    • I don't know
    • Required
    • Not required because: covered by unit tests
  • Public documentation
    • TODO (before merge)
    • Cloudflare docs PR(s):
    • Documentation not necessary because: bugfix
  • Wrangler V3 Backport

@changeset-bot
Copy link

changeset-bot bot commented Jan 27, 2025
edited
Loading

🦋 Changeset detected

Latest commit: f5675a0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
miniflare Patch
wrangler Patch
@cloudflare/pages-shared Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions
Copy link
Contributor

github-actions bot commented Jan 27, 2025
edited
Loading

A wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-wrangler-7914

You can reference the automatically updated head of this PR with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/prs/7914/npm-package-wrangler-7914

Or you can use npx with this latest build directly:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-wrangler-7914 dev path/to/script.js
Additional artifacts:

cloudflare-workers-bindings-extension:

wget https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-workers-bindings-extension-7914 -O ./cloudflare-workers-bindings-extension.0.0.0-v81ac03b8a.vsix && code --install-extension ./cloudflare-workers-bindings-extension.0.0.0-v81ac03b8a.vsix

create-cloudflare:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-create-cloudflare-7914 --no-auto-update

@cloudflare/kv-asset-handler:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-kv-asset-handler-7914

miniflare:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-miniflare-7914

@cloudflare/pages-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-pages-shared-7914

@cloudflare/unenv-preset:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-unenv-preset-7914

@cloudflare/vite-plugin:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-vite-plugin-7914

@cloudflare/vitest-pool-workers:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-vitest-pool-workers-7914

@cloudflare/workers-editor-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-workers-editor-shared-7914

@cloudflare/workers-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-workers-shared-7914

@cloudflare/workflows-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14082081202/npm-package-cloudflare-workflows-shared-7914

Note that these links will no longer work once the GitHub Actions artifact expires.

wrangler@4.4.1 includes the following runtime dependencies:

Package Constraint Resolved
miniflare workspace:* 4.20250321.0
workerd 1.20250321.0 1.20250321.0
workerd --version 1.20250321.0 2025-03-21

Please ensure constraints are pinned, and miniflare/workerd minor versions match.

@andyjessop andyjessop force-pushed the aj/strip-cf-connecting-ip-header branch from 0adafea to 63500ea Compare January 27, 2025 10:34
@andyjessop andyjessop marked this pull request as ready for review January 27, 2025 10:34
@andyjessop andyjessop requested a review from a team as a code owner January 27, 2025 10:34
@andyjessop andyjessop added the e2e Run wrangler + vite-plugin e2e tests on a PR label Jan 27, 2025
@andyjessop andyjessop force-pushed the aj/strip-cf-connecting-ip-header branch from 63500ea to d4c3b39 Compare January 27, 2025 10:42
penalosa
penalosa previously requested changes Jan 27, 2025
View reviewed changes
packages/wrangler/src/__tests__/api/startDevWorker/utils.test.ts Outdated
});
});

global.fetch = mockFetch as typeof global.fetch;
Copy link
Contributor

@penalosa penalosa Jan 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should use MSW if possible

packages/wrangler/src/api/startDevWorker/ProxyController.ts Outdated
handleRuntimeStdio,
liveReload: false,

outboundService: stripHeader("cf-connecting-ip"),
Copy link
Contributor

@penalosa penalosa Jan 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is the right place for this. This will strip cf-connecting-ip on outgoing fetches from the Proxy worker, which we don't want to do. I think we should be adding this for local user workers? (LocalRuntimeController)

@penalosa penalosa force-pushed the aj/strip-cf-connecting-ip-header branch from 28b301a to 60d1e61 Compare February 10, 2025 14:24
@edmundhung edmundhung added the caretaking Priority for caretaking label Mar 3, 2025
@edmundhung edmundhung self-assigned this Mar 3, 2025
@edmundhung edmundhung force-pushed the aj/strip-cf-connecting-ip-header branch from 60d1e61 to 4879bb9 Compare March 4, 2025 16:56
@edmundhung edmundhung changed the title chore: add stripHeader service to Miniflare instance on ProxyController fix(wrangler): strip CF-Connecting-IP header from all outbound requests Mar 4, 2025
edmundhung
edmundhung reviewed Mar 5, 2025
View reviewed changes
packages/wrangler/src/api/startDevWorker/ConfigController.ts Outdated
bindVectorizeToProd: input.dev?.bindVectorizeToProd ?? false,
multiworkerPrimary: input.dev?.multiworkerPrimary,
imagesLocalMode: input.dev?.imagesLocalMode ?? false,
outboundService: input.dev?.outboundService,
Copy link
Member

@edmundhung edmundhung Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes the dev.outboundService options working with startDevWorker

edmundhung
edmundhung reviewed Mar 5, 2025
View reviewed changes
packages/wrangler/src/dev/miniflare.ts Outdated
}

return (
config.outboundService?.(request) ??
Copy link
Member

@edmundhung edmundhung Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will use the user defined outboundService instead of fetch-ing it ourselves if it is available.

edmundhung
edmundhung reviewed Mar 5, 2025
View reviewed changes
packages/wrangler/src/dev/miniflare.ts Outdated
outboundService(request) {
if (request.headers.has("CF-Connecting-IP")) {
request.headers.delete("CF-Connecting-IP");
}
Copy link
Member

@edmundhung edmundhung Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This outboundService applies to the User Worker only. We were trying to add it to all workers in the LocalRuntimeController which might includes wrapped bindings and crash because it does not support outboundService.

@emily-shen
Copy link
Contributor

emily-shen commented Mar 6, 2025

should we be doing this in miniflare?

@edmundhung
Copy link
Member

edmundhung commented Mar 6, 2025

should we be doing this in miniflare?

Good point. I didn't notice this was done on the miniflare side. I will give it another look to see if we can strip it there.

@petebacondarwin petebacondarwin mentioned this pull request Mar 10, 2025
Closed
@LukePammant
Copy link

LukePammant commented Mar 18, 2025

Hey there, curious if there are any plans to get this in the next version of wrangler. I'm unable to locally test on any of my customers sites (#8333). Or is there any quick work around I can add to my code to get around this limitation in the meantime?

@third774
Copy link

third774 commented Mar 18, 2025
edited
Loading

@LukePammant one (less than ideal) workaround I've discovered that may or may not work for you is that you can use remote mode instead of local: wrangler dev --remote

@emily-shen emily-shen force-pushed the aj/strip-cf-connecting-ip-header branch from fca99d2 to 29e8140 Compare March 26, 2025 11:24
@workers-devprod workers-devprod mentioned this pull request Mar 26, 2025
Merged
@petebacondarwin petebacondarwin mentioned this pull request Apr 25, 2025
Closed
@penalosa penalosa force-pushed the aj/strip-cf-connecting-ip-header branch from 29e8140 to cada740 Compare May 2, 2025 15:23
@penalosa
Copy link
Contributor

penalosa commented May 2, 2025

I've pushed a new commit that implements this in Miniflare. There's a test for the positive case, but it's hard to test the negative case in CI because it interacts badly with bot detection. To test manually, try making a fetch request to dash.cloudflare.com from within a Worker. With this change it should succeed, but without this change it should fail.

@penalosa penalosa assigned penalosa and unassigned edmundhung May 2, 2025
@penalosa penalosa changed the title fix(wrangler): strip CF-Connecting-IP header from all outbound requests Strip CF-Connecting-IP header from all outbound requests May 2, 2025
petebacondarwin
petebacondarwin reviewed May 2, 2025
View reviewed changes
packages/miniflare/test/index.spec.ts Outdated
const landingPage = await mf.dispatchFetch("http://example.com/");
t.assert(
!(await landingPage.text()).includes(
"Unfortunately, it is resolving to an IP address that is creating a conflict within Cloudflare's system"
Copy link
Contributor

@petebacondarwin petebacondarwin May 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels a bit fragile... if the backend slightly changed this error message this assertion would always pass.

Copy link
Contributor

@penalosa penalosa May 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fb431dc

@penalosa penalosa requested a review from petebacondarwin May 7, 2025 14:41
@penalosa penalosa force-pushed the aj/strip-cf-connecting-ip-header branch from fb431dc to ce6d6d3 Compare May 7, 2025 14:42
@github-actions
Copy link
Contributor

github-actions bot commented May 7, 2025

Failed to automatically backport this PR's changes to Wrangler v3. Please manually create a PR targeting the v3-maintenance branch with your changes. Thank you for helping us keep Wrangler v3 supported!

Depending on your changes, running git rebase --onto v3-maintenance main aj/strip-cf-connecting-ip-header might be a good starting point.

@github-actions
Copy link
Contributor

github-actions bot commented May 7, 2025
edited
Loading

A Wrangler prerelease is available for testing. You can install this latest build in your project with:

npm install --save-dev https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-wrangler-7914
Prereleases for other packages:

cloudflare-workers-bindings-extension:

wget https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-workers-bindings-extension-7914 -O ./cloudflare-workers-bindings-extension.0.0.0-v262c37821.vsix && code --install-extension ./cloudflare-workers-bindings-extension.0.0.0-v262c37821.vsix

create-cloudflare:

npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-create-cloudflare-7914 --no-auto-update

@cloudflare/kv-asset-handler:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-kv-asset-handler-7914

miniflare:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-miniflare-7914

@cloudflare/pages-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-pages-shared-7914

@cloudflare/unenv-preset:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-unenv-preset-7914

@cloudflare/vite-plugin:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-vite-plugin-7914

@cloudflare/vitest-pool-workers:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-vitest-pool-workers-7914

@cloudflare/workers-editor-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-workers-editor-shared-7914

@cloudflare/workers-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-workers-shared-7914

@cloudflare/workflows-shared:

npm install https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/14970437289/npm-package-cloudflare-workflows-shared-7914

Note that these links will no longer work once the GitHub Actions artifact expires.

@penalosa penalosa dismissed their stale review May 7, 2025 17:22

stale

petebacondarwin
petebacondarwin approved these changes May 7, 2025
View reviewed changes
packages/miniflare/test/index.spec.ts
// The CF-Connecting-IP header value of "fake-value" should be stripped by Miniflare, and should be replaced with a generic 127.0.0.1
t.notDeepEqual(await landingPage.text(), "fake-value");
});
test("Miniflare: does not strip CF-Connecting-IP when configured", async (t) => {
Copy link
Contributor

@petebacondarwin petebacondarwin May 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add an empty line here?

@github-project-automation github-project-automation bot moved this from In Review to Approved in workers-sdk May 7, 2025
@penalosa penalosa enabled auto-merge May 12, 2025 10:57
@penalosa penalosa added this pull request to the merge queue May 12, 2025
Merged via the queue into main with commit 37af035 May 12, 2025
18 checks passed
@penalosa penalosa deleted the aj/strip-cf-connecting-ip-header branch May 12, 2025 11:34
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk May 12, 2025
@workers-devprod workers-devprod mentioned this pull request May 12, 2025
Merged
emily-shen pushed a commit that referenced this pull request May 12, 2025
@workers-devprod @penalosa
V3 Backport (fix(wrangler): strip CF-Connecting-IP header from all ou…
7a57c14 
…tbound requests #7914) (#8681)

* Strip CF-Connecting-IP

* Create cyan-years-relate.md

* Address comments

* remove test

* re-add test

* fix tests

* fix miniflare.ts

* fix compat date

---------

Co-authored-by: Samuel Macleod <smacleod@cloudflare.com>
@penalosa penalosa mentioned this pull request May 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@edmundhung edmundhung edmundhung left review comments

@penalosa penalosa penalosa left review comments

@petebacondarwin petebacondarwin petebacondarwin approved these changes

Assignees

@penalosa penalosa

Labels

caretaking Priority for caretaking e2e Run wrangler + vite-plugin e2e tests on a PR

Projects

workers-sdk
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🐛 BUG: fetch() call to public Zero Trust URL from Worker results in error 1000

7 participants

@andyjessop @emily-shen @edmundhung @LukePammant @third774 @penalosa @petebacondarwin