is it possible to interface tunnels with workers? | Cloudflare Developers | Page 1

willow silo Feb 20, 2024, 3:51 AM

#

is it possible to make calls from workers to tunnels without necessarily exposing the tunnels directly to the internet via a domain?

stable crow Feb 20, 2024, 4:00 AM

#

Not really, the closest you can get is protecting the tunnel hostnames with Access and adding a Service Token as a secret to the Worker

willow silo Feb 20, 2024, 4:01 AM

#

very interesting, i haven't worked with Access at all. can you give a quick summary of how that would be done? is there a library available to the workers that works with Access?

stable crow Feb 20, 2024, 4:02 AM

#

You just create a Service Token: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
And then add the ID and secret of the token to your Worker env/secrets and send all your requests with CF-Access-Client-Id and CF-Access-Client-Secret headers

#

Its not the most perfect security in the world (relies on a static secret) but its as good as you can get

willow silo Feb 20, 2024, 4:04 AM

#

alright, i've figured out how to create a service token. and I think i can figure out how to set those headers. but how do i set a tunnel to be protected by the service token?

stable crow Feb 20, 2024, 4:04 AM

#

As an aside, if you do this then make sure the tunnel Public Hostname as the "Protect with Access" option enabled has well as the Access policy existing https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/origin-configuration/#access-settings

willow silo Feb 20, 2024, 4:05 AM

#

ah, i see it: