メインコンテンツまでスキップ

【実装】二重リバプロ

概要

Cloudflare Workers と AWS CloudFront を組み合わせて、二重リバースプロキシ(二重リバプロ) を実装する。

全体像(通信フロー)

この実装では、次の流れになります。

クライアント
→ AWS CloudFront
→ Cloudflare(Workers)
→ オリジン(area11.org)


結果

CloudFrontの設定

CloudFront設定

CloudFront経由で無事Workersへアクセスできている。 CloudFront経由でWorkersへアクセス成功

詳細確認

①リバプロ(Workers)のログ ↓


{
"level": "info",
"message": "GET https://reverse.area11.workers.dev/Sec/abc/",
"$workers": {
  "event": {
    "request": {
      "cf": {
        "requestHeaderNames": {},
        "isEUCountry": false,
        "httpProtocol": "HTTP/1.1",
        "requestPriority": "",
        "colo": "SJC",
        "asOrganization": "Amazon Technologies Inc.",
        "country": "JP",
        "city": "Tokyo",
        "continent": "AS",
        "region": "Tokyo",
        "regionCode": "13",
        "timezone": "Asia/Tokyo",
        "longitude": "139.69171",
        "latitude": "35.6895",
        "postalCode": "101-8656",
        "tlsVersion": "TLSv1.3",
        "tlsCipher": "AEAD-AES128-GCM-SHA256",
        "tlsClientRandom": "6PLHqq4jCx7w+riTb0LkZeE5xqnAEwTNpZ7MCRGkRzY=",
        "tlsClientCiphersSha1": "ic5x3V42lH2fqBtDMnTXS6ol1zU=",
        "tlsClientExtensionsSha1": "30vjbCtb7WNvWmxAv2RVupojxKs=",
        "tlsClientExtensionsSha1Le": "DigKYZkiKsPgggjBrZo0uktzbvs=",
        "tlsExportedAuthenticator": {
          "clientHandshake": "dc24241d9743e670e5c96a2c790956079d0e96e09227ab1e93e7050709fd0d8c",
          "serverHandshake": "68232fe16ba78b14361da5253da9c3d492132583a0dd316b6801886393cb2293",
          "clientFinished": "9aaf24d6e4c4eb8b523987c254a2b275fe26a2cceae6a0910f9616c3dac390c2",
          "serverFinished": "3843fe861a92dd8ba92df1f580a0cd0e5eda21c2d90492bcf1c362d229a2df27"
        },
        "tlsClientHelloLength": "523",
        "tlsClientAuth": {
          "certPresented": "0",
          "certVerified": "NONE",
          "certRevoked": "0",
          "certIssuerDN": "",
          "certSubjectDN": "",
          "certIssuerDNRFC2253": "",
          "certSubjectDNRFC2253": "",
          "certIssuerDNLegacy": "",
          "certSubjectDNLegacy": "",
          "certSerial": "",
          "certIssuerSerial": "",
          "certSKI": "",
          "certIssuerSKI": "",
          "certFingerprintSHA1": "",
          "certFingerprintSHA256": "",
          "certNotBefore": "",
          "certNotAfter": ""
        },
        "verifiedBotCategory": "",
        "edgeRequestKeepAliveStatus": 1,
        "clientTcpRtt": 114,
        "asn": 16509
      },
      "url": "https://reverse.area11.workers.dev/Sec/abc/",
      "method": "GET",
      "headers": {
        "accept-encoding": "gzip, br",
        "cf-connecting-ip": "3.172.35.133",
        "cf-ipcountry": "JP",
        "cf-ray": "9b92974fd8bbe8cc",
        "cf-visitor": "{\"scheme\":\"https\"}",
        "connection": "Keep-Alive",
        "host": "reverse.area11.workers.dev",
        "user-agent": "Amazon CloudFront",
        "via": "2.0 cac87b6040779c8f7284bfa1e14d3dd2.cloudfront.net (CloudFront)",
        "x-amz-cf-id": "pM-DVpYYIgQnprwwazms_RVh24-lqnPHFAUfH92bacWR6Bd4GwDzlw==",
        "x-forwarded-for": "240d:1a:ab3c:72f0:7f3a:91c2:4b10:9e6d",
        "x-forwarded-proto": "https",
        "x-real-ip": "3.172.35.133"
      },
      "path": "/Sec/abc/"
    },
    "rayId": "9b92974fd8bbe8cc",
    "response": {
      "status": 404
    }
  },
  "diagnosticsChannelEvents": [],
  "truncated": false,
  "scriptName": "reverse",
  "outcome": "ok",
  "eventType": "fetch",
  "executionModel": "stateless",
  "scriptVersion": {
    "id": "a420daa5-46bd-4870-84fe-de72c90600bc"
  },
  "requestId": "9b92974fd8bbe8cc",
  "cpuTimeMs": 0,
  "wallTimeMs": 17
},
"$metadata": {
  "id": "01KE6Y7KFGDZN5KEVPNXJTWF0M",
  "requestId": "9b92974fd8bbe8cc",
  "trigger": "GET /Sec/abc/",
  "service": "reverse",
  "level": "info",
  "message": "GET https://reverse.area11.workers.dev/Sec/abc/",
  "account": "bb474e621a1cedfa31cea2e86f5c996e",
  "type": "cf-worker-event",
  "fingerprint": "19b5123867f704c676d5033b3fa8875a",
  "origin": "fetch",
  "messageTemplate": "GET https://reverse.area11.workers.dev/Sec/abc/"
}
}

②オリジン(Workers)のログ ↓


{
"level": "info",
"message": "GET https://area11.org/Sec/abc/",
"$workers": {
  "event": {
    "request": {
      "cf": {
        "requestHeaderNames": {},
        "isEUCountry": false,
        "httpProtocol": "HTTP/1.1",
        "tlsCipher": "",
        "continent": "NA",
        "clientAcceptEncoding": "gzip, br",
        "verifiedBotCategory": "",
        "country": "US",
        "region": "California",
        "tlsClientCiphersSha1": "",
        "tlsClientAuth": {
          "certIssuerDNLegacy": "",
          "certIssuerSKI": "",
          "certSubjectDNRFC2253": "",
          "certSubjectDNLegacy": "",
          "certFingerprintSHA256": "",
          "certNotBefore": "",
          "certSKI": "",
          "certSerial": "",
          "certIssuerDN": "",
          "certVerified": "NONE",
          "certNotAfter": "",
          "certSubjectDN": "",
          "certPresented": "0",
          "certRevoked": "0",
          "certIssuerSerial": "",
          "certIssuerDNRFC2253": "",
          "certFingerprintSHA1": ""
        },
        "tlsClientRandom": "",
        "tlsClientHelloLength": "",
        "colo": "SJC",
        "timezone": "America/Los_Angeles",
        "longitude": "-121.82870",
        "latitude": "37.24410",
        "requestPriority": "",
        "postalCode": "95193",
        "city": "San Jose",
        "tlsVersion": "",
        "regionCode": "CA",
        "asOrganization": "Cloudflare, Inc.",
        "metroCode": "807",
        "tlsClientExtensionsSha1Le": "",
        "tlsClientExtensionsSha1": "",
        "asn": 13335,
        "edgeRequestKeepAliveStatus": 1
      },
      "url": "https://area11.org/Sec/abc/",
      "method": "GET",
      "headers": {
        "accept-encoding": "gzip, br",
        "cf-connecting-ip": "2a06:98c0:3600::103",
        "cf-ipcountry": "US",
        "cf-ray": "9b92974fe7dfd81b",
        "cf-visitor": "{\"scheme\":\"https\"}",
        "cf-worker": "area11.workers.dev",
        "connection": "Keep-Alive",
        "host": "area11.org",
        "user-agent": "Amazon CloudFront",
        "via": "2.0 cac87b6040779c8f7284bfa1e14d3dd2.cloudfront.net (CloudFront)",
        "x-amz-cf-id": "pM-DVpYYIgQnprwwazms_RVh24-lqnPHFAUfH92bacWR6Bd4GwDzlw==",
        "x-forwarded-for": "240d:1a:ab3c:72f0:7f3a:91c2:4b10:9e6d, 3.172.35.133",
        "x-forwarded-host": "reverse.area11.workers.dev",
        "x-forwarded-port": "443",
        "x-forwarded-proto": "https",
        "x-proxy-by": "cloudflare-worker",
        "x-real-ip": "2a06:98c0:3600::103"
      },
      "path": "/Sec/abc/"
    },
    "rayId": "9b92974fe7dfd81b",
    "response": {
      "status": 404
    }
  },
  "diagnosticsChannelEvents": [],
  "truncated": false,
  "scriptName": "area11doc",
  "outcome": "ok",
  "eventType": "fetch",
  "executionModel": "stateless",
  "scriptVersion": {
    "id": "8dfcaf11-a436-42ac-a592-c9699a91d5f3"
  },
  "requestId": "9b92974fe7dfd81b",
  "cpuTimeMs": 0,
  "wallTimeMs": 0
},
"$metadata": {
  "id": "01KE6Y7KFSSXF8GN2MG96PPY51",
  "requestId": "9b92974fe7dfd81b",
  "trigger": "GET /Sec/abc/",
  "service": "area11doc",
  "level": "info",
  "message": "GET https://area11.org/Sec/abc/",
  "account": "bb474e621a1cedfa31cea2e86f5c996e",
  "type": "cf-worker-event",
  "fingerprint": "19b5123867f704c676d5033b3fa8875a",
  "origin": "fetch",
  "messageTemplate": "GET https://area11.org/Sec/abc/"
}
}

ログより以下のことがわかる。

240d:1a:ab3c:72f0:7f3a:91c2:4b10:9e6d : クライアント(元のアクセス元端末)
3.172.35.133 : CloudFrontエッジ(CloudFront→Cloudflare reverse Worker への送信元)
2a06:98c0:3600::103 : リバプロ(reverse Worker→origin Worker への送信元)

参考

CloudfrontのIPアドレス範囲 ↓

CloudfrontのIPアドレス範囲

Cloudflare WorkersのIPアドレス範囲 ↓

Cloudflare WorkersのIPアドレス範囲

以上。