Skip to main content
Cloudflare

Search

Cloudflare Workers Integration

© 2024 Cequence Security. All Rights Reserved.

Cloudflare Workers Integration

  • Updated on
  • ~ minute read
Download PDF

Integrating Cloudflare Workers with the Cequence Unified API Protection (UAP) platform requires access to the Cloudflare dashboard and permissions to manage Cloudflare workers.

This integration uses a Cloudflare Worker to send Cloudflare traffic to the Cequence UAP platform for analysis. Cloudflare Workers provide a serverless execution environment. While there are several ways to deploy a Cloudflare Worker, this guide discusses Cloudflare Workers deployed in the Route mode.

This approach to the Cequence integration with Cloudflare workers does not use Cloudflare Queues. Your Cequence team can assist you in deploying a version of this integration that uses Cloudflare Queues. To confirm that your account supports Cloudflare Queues, see the Cloudflare documentation.

This integration uses the ctx.waitUntil() method to establish asynchronous communication between Cloudflare and the Cequence UAP platform, which has negligible effect on site latency. Cequence handles errors with the passThroughOnException method to enable silent failures for minimal site impact.

This Cloudflare Worker sends data to Cequence for analysis asynchronously and is triggered by Routes. The worker uses Workers KV to cache access tokens and can be deployed using Wrangler. The worker does not use Cloudflare Queues to batch requests. Requests are sent one by one instead of in batches. If you would like to use Queues for batch processing, enable Queues in your Cloudflare account. You can run Wrangler in CI/CD with an API token.

API flow for the integration

  1. Downstream clients send API requests through the Cloudflare Workers plugin.
  2. The worker forwards the requests to the upstream API service.
  3. All the transaction data is captured.
  4. The worker returns the response to the downstream client.
  5. Cloudflare Workers sends transaction data to the Cequence UAP platform for analysis and threat detection.

Cloudflare limitation

When a Cloudflare Worker sends a request to the api-transactions endpoint, that endpoint must present a valid, CA-signed SSL certificate. If the endpoint uses a self-signed certificate, Cloudflare will return Error 526: Invalid SSL Certificate. Therefore, any Cequence Bridge endpoint that receives requests from a Cloudflare Worker must use a trusted SSL certificate issued by a recognized Certificate Authority. See the Cloudflare Error 526 documentation for more details.

Before you start

Verify that a Cloudflare zone you can use to define a route for the Cloudflare Worker exists. You can create a Cloudflare zone by using the onboarding DNS records or by registering a new domain.

The Application must be Proxied through Cloudflare, not just DNS-managed (gray cloud icon). Full proxying ensures all API requests flow through Cloudflare Workers before reaching your origin server. If your Origin application is HTTP (no TLS) or uses an invalid or self-signed certificate, you need to configure encryption mode (a global setting) to Flexible.

Generating a traffic client and secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI. The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings User Management. The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client. The new client dialog box appears.
  5. Type the client name in the Client Name field. This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save. A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close. The client is now set up. Note the client name for future use. The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons. Use the client ID and secret you just generated in the Cloudflare configuration below as CEQUENCE_CLIENT_ID and CEQUENCE_CLIENT_SECRET respectively.

Cloudflare configuration

The procedures in this section configure your Cloudflare instance to work with the Cequence UAP platform.

Create a new Worker

This procedure creates a new Worker to integrate with Cequence.

  1. Log in to the Cloudflare dashboard.
  2. In the left navigation bar, click Storage and Database Workers KV. The KV page appears.
  3. Click Create a namespace. The Create a namespace pane appears.
  4. In Namespace Name, type in a name for the Cequence integration. This can be any arbitrary name. This guide uses CEQ_KV as an example.
  5. Click Create. The tabular list of namespaces updates to include CEQ_KV.
  6. Click the copy to clipboard icon from the ID column to copy the namespace ID to your clipboard. Note this ID for later use.
  7. In the left navigation bar, click Compute & AI Workers & Pages Overview. The Overview page appears.
  8. Click Create application. The Create an application page appears.
  9. Click Create Application. The worker creation page appears.
  10. Select a valid workers option to proceed. For testing purposes, select the Hello World template.
  11. In the field for Name, type in a name for the Cequence Worker, such as cequence-worker-single-dev.
  12. Click Deploy. The new Cloudflare Worker deploys and the Preview your Worker page appears.

Configure the Worker with the Cequence Integration

This procedure configures the newly created Worker with the code that Cequence provides in order to integrate with the Cequence UAP platform.

  1. Click Edit code. The Cloudflare code window appears.
  2. In the Cloudflare code window, paste the contents of the cequence-worker.js file available here. The file is attached to this article and is also available in the build/ directory of the zip file shared with you by your Cequence team.
  3. Click Deploy. A confirmation dialog box appears.
  4. Click Save and deploy. The confirmation dialog box closes and the worker deploys.

Configure Routes for the Worker

This procedure configures routes for the hosts to send traffic to the Cequence UAP platform using Cloudflare Workers. This procedure uses cq-route.com as an example host name. Use the relevant host names from your deployment instead.

  1. Above the code window, click the worker name, cequence-worker-single-dev. The worker configuration page appears.
  2. From the top horizontal menu, click Settings Domains & Routes. In Routes, click the ellipsis (...) next to the cequence-worker-single-dev route and select Disable route. A confirmation dialog box appears.
  3. Click Disable. The confirmation dialog box closes. The default route is now disabled.
  4. Click Add route. The Add route pane appears.
  5. In Route, type in a host value, such as *cq-route.com/*.
  6. From the Zone drop-down, select cq-route.com.
  7. Click Add route. Repeat these steps to add further routes.
  8. Optionally, edit an existing route by clicking the ellipsis (...) next to an existing route and selecting Edit route.
  9. Search for the Variables and Secrets at right panel. Click Add variable. Add the following environment variables and click Deploy.
Variable Name Value Needs changing
CEQ_ENV DEV No; do not change
CEQUENCE_AUTH_ENDPOINT https://auth.<your-tenant-name>/auth/realms/cequence/protocol/openid-connect/token Yes
CEQUENCE_EDGE_ENDPOINT https://edge.<your-tenant-name>/api-transactions Yes
CEQ_TOKEN_RETRY_COUNT 5 No; do not change
CEQ_SINGLE_EVENT_RETRY_COUNT 5 No; do not change
CEQ_INITIAL_RETRY_DELAY_SEC 0.5 No; do not change
CEQUENCE_CLIENT_ID client-id Yes
CEQUENCE_CLIENT_SECRET type:secret Yes

Associate Namespace Binding with the Worker

This procedure associates the newly configured Worker with the namespace created at the beginning of this guide.

  1. From your configured worker, select the Bindings tab.
  2. Click on the Add Binding and select the Namespace that was prepared in the earlier steps.
  3. Select KV namespace from binding options and click on the Add Bindings.
  4. Select KV namespace from the dropdown menu and provide CEQ_KV as the variable name, then click on Add Binding.

The Cloudflare Worker is now configured to integrate with the Cequence UAP platform. To confirm successful integration, send requests to the configured routes and watch for activity on your Cequence UAP platform dashboard.

Validating the Cloudflare Configuration

  1. Log in to the Cloudflare dashboard.
  2. In the left navigation bar, click Workers & Pages Overview.
  3. Select the cequence-worker-single-dev worker. The configuration page for the worker appears.
  4. From the top horizontal menu, click on Observability. The logs pane appears.
  5. Click Begin log stream. Activity logs display in the log window.

Verification at UAP

When you send requests to the transactions endpoint of Cloudflare, the worker sends the transactions data to the Cequence UAP platform. You can verify the transactions at the Detection dashboard and in the Transactions page.

References

Was this article helpful?
Japanese (Japan)