Serverless deployments of Cloudflare workers
In this post, I will be building on my previous post about HTTP security headers by explaining how to manage and deploy Cloudflare workers using the serverless framework.
If you’re not familiar with the serverless framework it’s a great tool used to manage deployments of all types of serverless functions to multiple providers like AWS, Azure, GCP, Cloudflare, etc.
It will bundle your scripts/apps and any dependencies required, then deploy them all based on the config you provide in the serverless.yaml
file.
Getting Setup
To get started you will need to install serverless either via NPM or your favorite package manager.
NPM
# Install the serverless cli
npm install -g serverless
We are also going to use the template out of the serverless quick start guide.
Just run serverless create --template cloudflare-workers --path new-project
This will set you up with most of what you need, but I will show you how to get auth to Cloudflare setup and stored in a semi-secure way.
But first, we will start with the project.
Serverless JS script
As I outlined in my previous post I have been using the security headers script from Scott Helme, you can see it in his Github repo, grab the contents of his worker.js
file and copy it into the helloWorld.js
file created by serverless, ensuring to overwrite any content already there.
Then rename the .js
file to something that makes more sense, like security-headers.js
. You will also need to open the package.json
file and update it with the new name of your script.
Replace the value of main
with your new script name, by default it is set to index.js
.
This tells NPM what file we are working with so it can build out our requirements.
Serverless YAML
You will need to edit your serverless.yaml
file, it needs a name a function name and we will swap out the Cloudflare account into for environment variables so we can store the YAML file in git without saving our credentials in there.
Once you are done it should look like the one below, be sure to set the URL
part under the function to *yourdomain.com/*
to set the route in Cloudflare.
service:
name: security-headers
config:
accountId: ${env:CLOUDFLARE_ACCOUNT_ID}
zoneId: ${env:CLOUDFLARE_ZONE_ID}
provider:
name: cloudflare
stage: prod
plugins:
- serverless-cloudflare-workers
functions:
security-headers:
name: security-headers
script: security-headers # there must be a file called security-headers.js
events:
- http:
url: '*example.net/*'
method: GET
Auth and ENV values
Now for Cloudflare and serverless, we need a few environment variables set. Two for the account info and two more for the API auth.
I suggest setting these up in another script file, but before you do, make sure you add it to your .gitignore
first.
I created an auth.sh
file that looks like this,
export CLOUDFLARE_ZONE_ID=''
export CLOUDFLARE_ACCOUNT_ID=''
export CLOUDFLARE_AUTH_KEY=''
export CLOUDFLARE_AUTH_EMAIL=''
echo "Set cloudflare auth tokens"
Finding some of these values can be harder then it looks, Cloudflare still hasn’t set them up in a nice central location.
The Zone ID you will find on the dashbord page after selecting the website you want to work with.
scroll down and on the bottom right you will find a section titled API
it will have both your account Id
and Zone id
.
Add these values to the auth.sh
and jump over to your Cloudflare profile API page This is where you will
find your Cloudflare Global API Key
. Add that and the email address you use to login to Cloudflare to the auth.sh
file.
Serverless Plugin’s and Deployment
The last few steps are installing the Cloudflare serverless plugin and how to use the auth.sh
script.
To install the plugin simply run
serverless plugin install --name serverless-cloudflare-workers
After that run source ./auth.sh
, you may wonder why we used source
here. This is to run the script in our current terminal process. If you just execute the script with ./auth.sh
it will spawn another terminal process to run it and the environment variables will not be set in your current terminal.
Lastly, simply run serverless deploy
to push your worker to Cloudflare have it start adding your security headers.
Note
The settings in the worker.js
file from the git repo are very strict if it causes any issues with your site feel free to edit the first block and remove the part below.
"Content-Security-Policy" : "upgrade-insecure-requests"
Thanks For Reading! Lucas