【実装】二重リバプロ
概要
Cloudflare Workers と AWS CloudFront を組み合わせて、二重リバースプロキシ(二重リバプロ) を実装する。
全体像(通信フロー)
この実装では、次の流れになります。
クライアント
→ AWS CloudFront
→ Cloudflare(Workers)
→ オリジン(area11.org)
←
←
結果
CloudFrontの設定
CloudFront経由で無事Workersへアクセスできている。
詳細確認
①リバプロ(Workers)のログ ↓
{
"level": "info",
"message": "GET https://reverse.area11.workers.dev/Sec/abc/",
"$workers": {
"event": {
"request": {
"cf": {
"requestHeaderNames": {},
"isEUCountry": false,
"httpProtocol": "HTTP/1.1",
"requestPriority": "",
"colo": "SJC",
"asOrganization": "Amazon Technologies Inc.",
"country": "JP",
"city": "Tokyo",
"continent": "AS",
"region": "Tokyo",
"regionCode": "13",
"timezone": "Asia/Tokyo",
"longitude": "139.69171",
"latitude": "35.6895",
"postalCode": "101-8656",
"tlsVersion": "TLSv1.3",
"tlsCipher": "AEAD-AES128-GCM-SHA256",
"tlsClientRandom": "6PLHqq4jCx7w+riTb0LkZeE5xqnAEwTNpZ7MCRGkRzY=",
"tlsClientCiphersSha1": "ic5x3V42lH2fqBtDMnTXS6ol1zU=",
"tlsClientExtensionsSha1": "30vjbCtb7WNvWmxAv2RVupojxKs=",
"tlsClientExtensionsSha1Le": "DigKYZkiKsPgggjBrZo0uktzbvs=",
"tlsExportedAuthenticator": {
"clientHandshake": "dc24241d9743e670e5c96a2c790956079d0e96e09227ab1e93e7050709fd0d8c",
"serverHandshake": "68232fe16ba78b14361da5253da9c3d492132583a0dd316b6801886393cb2293",
"clientFinished": "9aaf24d6e4c4eb8b523987c254a2b275fe26a2cceae6a0910f9616c3dac390c2",
"serverFinished": "3843fe861a92dd8ba92df1f580a0cd0e5eda21c2d90492bcf1c362d229a2df27"
},
"tlsClientHelloLength": "523",
"tlsClientAuth": {
"certPresented": "0",
"certVerified": "NONE",
"certRevoked": "0",
"certIssuerDN": "",
"certSubjectDN": "",
"certIssuerDNRFC2253": "",
"certSubjectDNRFC2253": "",
"certIssuerDNLegacy": "",
"certSubjectDNLegacy": "",
"certSerial": "",
"certIssuerSerial": "",
"certSKI": "",
"certIssuerSKI": "",
"certFingerprintSHA1": "",
"certFingerprintSHA256": "",
"certNotBefore": "",
"certNotAfter": ""
},
"verifiedBotCategory": "",
"edgeRequestKeepAliveStatus": 1,
"clientTcpRtt": 114,
"asn": 16509
},
"url": "https://reverse.area11.workers.dev/Sec/abc/",
"method": "GET",
"headers": {
"accept-encoding": "gzip, br",
"cf-connecting-ip": "3.172.35.133",
"cf-ipcountry": "JP",
"cf-ray": "9b92974fd8bbe8cc",
"cf-visitor": "{\"scheme\":\"https\"}",
"connection": "Keep-Alive",
"host": "reverse.area11.workers.dev",
"user-agent": "Amazon CloudFront",
"via": "2.0 cac87b6040779c8f7284bfa1e14d3dd2.cloudfront.net (CloudFront)",
"x-amz-cf-id": "pM-DVpYYIgQnprwwazms_RVh24-lqnPHFAUfH92bacWR6Bd4GwDzlw==",
"x-forwarded-for": "240d:1a:ab3c:72f0:7f3a:91c2:4b10:9e6d",
"x-forwarded-proto": "https",
"x-real-ip": "3.172.35.133"
},
"path": "/Sec/abc/"
},
"rayId": "9b92974fd8bbe8cc",
"response": {
"status": 404
}
},
"diagnosticsChannelEvents": [],
"truncated": false,
"scriptName": "reverse",
"outcome": "ok",
"eventType": "fetch",
"executionModel": "stateless",
"scriptVersion": {
"id": "a420daa5-46bd-4870-84fe-de72c90600bc"
},
"requestId": "9b92974fd8bbe8cc",
"cpuTimeMs": 0,
"wallTimeMs": 17
},
"$metadata": {
"id": "01KE6Y7KFGDZN5KEVPNXJTWF0M",
"requestId": "9b92974fd8bbe8cc",
"trigger": "GET /Sec/abc/",
"service": "reverse",
"level": "info",
"message": "GET https://reverse.area11.workers.dev/Sec/abc/",
"account": "bb474e621a1cedfa31cea2e86f5c996e",
"type": "cf-worker-event",
"fingerprint": "19b5123867f704c676d5033b3fa8875a",
"origin": "fetch",
"messageTemplate": "GET https://reverse.area11.workers.dev/Sec/abc/"
}
}
②オリジン(Workers)のログ ↓
{
"level": "info",
"message": "GET https://area11.org/Sec/abc/",
"$workers": {
"event": {
"request": {
"cf": {
"requestHeaderNames": {},
"isEUCountry": false,
"httpProtocol": "HTTP/1.1",
"tlsCipher": "",
"continent": "NA",
"clientAcceptEncoding": "gzip, br",
"verifiedBotCategory": "",
"country": "US",
"region": "California",
"tlsClientCiphersSha1": "",
"tlsClientAuth": {
"certIssuerDNLegacy": "",
"certIssuerSKI": "",
"certSubjectDNRFC2253": "",
"certSubjectDNLegacy": "",
"certFingerprintSHA256": "",
"certNotBefore": "",
"certSKI": "",
"certSerial": "",
"certIssuerDN": "",
"certVerified": "NONE",
"certNotAfter": "",
"certSubjectDN": "",
"certPresented": "0",
"certRevoked": "0",
"certIssuerSerial": "",
"certIssuerDNRFC2253": "",
"certFingerprintSHA1": ""
},
"tlsClientRandom": "",
"tlsClientHelloLength": "",
"colo": "SJC",
"timezone": "America/Los_Angeles",
"longitude": "-121.82870",
"latitude": "37.24410",
"requestPriority": "",
"postalCode": "95193",
"city": "San Jose",
"tlsVersion": "",
"regionCode": "CA",
"asOrganization": "Cloudflare, Inc.",
"metroCode": "807",
"tlsClientExtensionsSha1Le": "",
"tlsClientExtensionsSha1": "",
"asn": 13335,
"edgeRequestKeepAliveStatus": 1
},
"url": "https://area11.org/Sec/abc/",
"method": "GET",
"headers": {
"accept-encoding": "gzip, br",
"cf-connecting-ip": "2a06:98c0:3600::103",
"cf-ipcountry": "US",
"cf-ray": "9b92974fe7dfd81b",
"cf-visitor": "{\"scheme\":\"https\"}",
"cf-worker": "area11.workers.dev",
"connection": "Keep-Alive",
"host": "area11.org",
"user-agent": "Amazon CloudFront",
"via": "2.0 cac87b6040779c8f7284bfa1e14d3dd2.cloudfront.net (CloudFront)",
"x-amz-cf-id": "pM-DVpYYIgQnprwwazms_RVh24-lqnPHFAUfH92bacWR6Bd4GwDzlw==",
"x-forwarded-for": "240d:1a:ab3c:72f0:7f3a:91c2:4b10:9e6d, 3.172.35.133",
"x-forwarded-host": "reverse.area11.workers.dev",
"x-forwarded-port": "443",
"x-forwarded-proto": "https",
"x-proxy-by": "cloudflare-worker",
"x-real-ip": "2a06:98c0:3600::103"
},
"path": "/Sec/abc/"
},
"rayId": "9b92974fe7dfd81b",
"response": {
"status": 404
}
},
"diagnosticsChannelEvents": [],
"truncated": false,
"scriptName": "area11doc",
"outcome": "ok",
"eventType": "fetch",
"executionModel": "stateless",
"scriptVersion": {
"id": "8dfcaf11-a436-42ac-a592-c9699a91d5f3"
},
"requestId": "9b92974fe7dfd81b",
"cpuTimeMs": 0,
"wallTimeMs": 0
},
"$metadata": {
"id": "01KE6Y7KFSSXF8GN2MG96PPY51",
"requestId": "9b92974fe7dfd81b",
"trigger": "GET /Sec/abc/",
"service": "area11doc",
"level": "info",
"message": "GET https://area11.org/Sec/abc/",
"account": "bb474e621a1cedfa31cea2e86f5c996e",
"type": "cf-worker-event",
"fingerprint": "19b5123867f704c676d5033b3fa8875a",
"origin": "fetch",
"messageTemplate": "GET https://area11.org/Sec/abc/"
}
}
ログより以下のことがわかる。
240d:1a:ab3c:72f0:7f3a:91c2:4b10:9e6d : クライアント(元のアクセス元端末)
3.172.35.133 : CloudFrontエッジ(CloudFront→Cloudflare reverse Worker への送信元)
2a06:98c0:3600::103 : リバプロ(reverse Worker→origin Worker への送信元)
参考
CloudfrontのIPアドレス範囲 ↓
Cloudflare WorkersのIPアドレス範囲 ↓
以上。