origin

package

v0.4.1 Latest Latest Go to latest Published: Mar 13, 2025 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ncruces/go-cloudflare

README ¶

A Cloudflare origin http.Server

Documentation ¶

Overview ¶

Package origin configures an http.Server to only accept legitimate requests from Cloudflare.

The server will only accept TLS 1.3 SNI requests matching one of the provided certificates, and it can authenticate origin pulls using mTLS.

When the above checks fail, the TLS handshake fails without leaking server certificates.

A net.Listener that only accepts connections from Cloudflare IP ranges can also be used.

See:

https://www.cloudflare.com/ips/
https://origin-pull.cloudflare.com/

Usage:

func main() {
	server, err := origin.NewServer("cert.pem", "key.pem", "origin-pull-ca.pem")
	if err != nil {
		log.Fatal(err)
	}

	ln, err := origin.Listen("tcp", ":https")
	if err != nil {
		log.Fatal(err)
	}
	defer ln.Close()

	http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
		io.WriteString(w, "Hello, Cloudflare!\n")
	})
	log.Fatal(server.ServeTLS(ln, "", ""))
}

Index ¶

func Listen(network, address string) (net.Listener, error)
func MatchHostServerName(r *http.Request) bool
func NewListener(ln net.Listener) net.Listener
func NewServer(certFile, keyFile, pullCAFile string) (*http.Server, error)
func NewServerWithCerts(pullCA *x509.CertPool, cert ...tls.Certificate) *http.Server

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Listen ¶ added in v0.2.0

func Listen(network, address string) (net.Listener, error)

Listen only accepts TCP connections from Cloudflare IP ranges.

func MatchHostServerName ¶ added in v0.3.1

func MatchHostServerName(r *http.Request) bool

MatchServerNameHost checks if SNI matches the Host header for a TLS http.Request.

func NewListener ¶ added in v0.3.2

func NewListener(ln net.Listener) net.Listener

NewListener returns a listener that only accepts TCP connections from Cloudflare IP ranges.

func NewServer ¶

func NewServer(certFile, keyFile, pullCAFile string) (*http.Server, error)

NewServer creates a Cloudflare origin http.Server.

Filenames containing a certificate and matching private key for the server must be provided. The filename to the origin pull CA certificate is optional.

func NewServerWithCerts ¶

func NewServerWithCerts(pullCA *x509.CertPool, cert ...tls.Certificate) *http.Server

NewServerWithCerts creates a Cloudflare origin http.Server from loaded certificates.

The origin pull CA certificate is optional. At least one server certificate must be provided.

Types ¶

This section is empty.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL