Serverless Cloudflare Workers

Serverless deployments of Cloudflare workers

In this post, I will be building on my previous post about HTTP security headers by explaining how to manage and deploy Cloudflare workers using the serverless framework. If you’re not familiar with the serverless framework it’s a great tool used to manage deployments of all types of serverless functions to multiple providers like AWS, Azure, GCP, Cloudflare, etc. It will bundle your scripts/apps and any dependencies required, then deploy them all based on the config you provide in the serverless.yaml file.

Getting Setup

To get started you will need to install serverless either via NPM or your favorite package manager.

NPM

    # Install the serverless cli
    npm install -g serverless

We are also going to use the template out of the serverless quick start guide. Just run serverless create --template cloudflare-workers --path new-project This will set you up with most of what you need, but I will show you how to get auth to Cloudflare setup and stored in a semi-secure way. But first, we will start with the project.

Serverless JS script

As I outlined in my previous post I have been using the security headers script from Scott Helme, you can see it in his Github repo, grab the contents of his worker.js file and copy it into the helloWorld.js file created by serverless, ensuring to overwrite any content already there. Then rename the .js file to something that makes more sense, like security-headers.js. You will also need to open the package.json file and update it with the new name of your script. Replace the value of main with your new script name, by default it is set to index.js. This tells NPM what file we are working with so it can build out our requirements.

Serverless YAML

You will need to edit your serverless.yaml file, it needs a name a function name and we will swap out the Cloudflare account into for environment variables so we can store the YAML file in git without saving our credentials in there. Once you are done it should look like the one below, be sure to set the URL part under the function to *yourdomain.com/* to set the route in Cloudflare.

    service:
    name: security-headers
    config:
        accountId: ${env:CLOUDFLARE_ACCOUNT_ID}
        zoneId: ${env:CLOUDFLARE_ZONE_ID} 


    provider:
    name: cloudflare
    stage: prod

    plugins:
    - serverless-cloudflare-workers
    
    functions:
    security-headers:
        name: security-headers
        script: security-headers # there must be a file called security-headers.js
        events:
        - http:
            url: '*example.net/*'
            method: GET

Auth and ENV values

Now for Cloudflare and serverless, we need a few environment variables set. Two for the account info and two more for the API auth. I suggest setting these up in another script file, but before you do, make sure you add it to your .gitignore first. I created an auth.sh file that looks like this,

    export CLOUDFLARE_ZONE_ID=''
    export CLOUDFLARE_ACCOUNT_ID=''
    export CLOUDFLARE_AUTH_KEY=''
    export CLOUDFLARE_AUTH_EMAIL=''
    echo "Set cloudflare auth tokens"

Finding some of these values can be harder then it looks, Cloudflare still hasn’t set them up in a nice central location. The Zone ID you will find on the dashbord page after selecting the website you want to work with. scroll down and on the bottom right you will find a section titled API it will have both your account Id and Zone id. Zone ID

Add these values to the auth.sh and jump over to your Cloudflare profile API page This is where you will find your Cloudflare Global API Key. Add that and the email address you use to login to Cloudflare to the auth.sh file.

Serverless Plugin’s and Deployment

The last few steps are installing the Cloudflare serverless plugin and how to use the auth.sh script. To install the plugin simply run

serverless plugin install --name serverless-cloudflare-workers

After that run source ./auth.sh, you may wonder why we used source here. This is to run the script in our current terminal process. If you just execute the script with ./auth.sh it will spawn another terminal process to run it and the environment variables will not be set in your current terminal. Lastly, simply run serverless deploy to push your worker to Cloudflare have it start adding your security headers.

Note

The settings in the worker.js file from the git repo are very strict if it causes any issues with your site feel free to edit the first block and remove the part below.

"Content-Security-Policy" : "upgrade-insecure-requests"

Thanks For Reading! Lucas

Related Articles