laurmat
laurmat
PostsComments
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Hey! So I’m doing some tests, but I’m not sure if the mTLS cert is added on the worker request through the mTLS binding as shown here: https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/ Is there a way to check this?
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Now in this scenario if we replace IG app with a worker, it should have the same result and block the connection if such proxy tool is used.
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
I mean social networks like IG use SSL Pinning to block such tools. So I assume the proxy own SSL would overwrite IG app embedded Certificate but because the SSL Pinning at the IG servers, the connection get’s blocked
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
The same scenario at #2 would apply but since the proxy present it’s own Certificate (to be able to intercept HTTPS) it would forward the user request to the worker1. Now assuming I make a mTLS binding on this worker for a certificate that is also configured in the next step at the Go microservice (server) for ssl pinning, I don’t know if the proxy own Certif that is set in the device trusted certificated will overwrite the mTLS one. If it does, the the SSL Pinning on the Go microservice will block the proxy connection
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
I suppose with SSL Pinning is the same situation, right?
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Yeah, in my case I can’t install on the user’s device, it would be impossible
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Btw, by MinTLS you mean MutualTLS right?
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Yes,#2 is the issue. I thought mTLS was going to fix that
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
The second worker in that scenario is the same worker1, as i said the main logic (the redirects) are set in worker1 and before the main logic there is this “checking” logic that will forward the worker request to the Go microservice to see if the certificate setup on the worker with mtls bindings is the same as the one set on the Go service, if they match, then the worker1 can continue the logic and do the redirects.
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Client request will come from mobile devices mostly
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Will this work?
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
I was talking to someone to make a checking microservice in Go (as it is fast and performant), he proposed something like this: [Client Request] → [Cloudflare Worker] → [Golang Service with SSL Pinning] → [Cloudflare Worker] → [Final Destination] I will provide a TLS cert and TLS key that you can send to the Golang service so that I verify that the request is coming from the cloudflare worker and not any other proxy.
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Ok so I should have some check between user and worker1, that’s what you’re saying
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
From my understanding with mTLS for cloudflare workers, the client certificate will be installed on worker1, so when worker1 domain is accessed the certificate will be pushed through the request. In the traditional mTLS setup (no workers) the certificate had yo be installed on the devices (mobile app, IoT device, etc)
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Yes, i thought if I create mTLS between 2 workers, a certificate is pushed from worker1(client) to workers2(server) and usually if the connection is clean it will validate, but if the connection is from a device using tools like Reqable (which I have installed on my iphone and I had to add its Certificate and enable full trust in ios settings) then this will not validate and the logic on worker1 will not continue
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Let me attach my flow, to understand better my use case
30 replies
CDCloudflare Developers
Created by laurmat on 9/28/2024 in #workers-discussions
Thread
Sure. So you mention “disable inbound connection for worker 2” can you give more details about this? Can this stop tools like Charles proxy, Reqable, Burpsuite etc from spying on my worker’s requests over HTTPS?
30 replies