问题
I'm wanting to put Cloudflare in front of my API hosted on Cloud Run. I'd like to ensure my Cloud Run app only accepts connections from Cloudflare (to avoid bypassing DDoS mitigation + rate limiting in Cloudflare).
Is there any way to use Cloudflare's Authenticated Origin Pulls with Cloud Run?
Other solutions that achieve the same effect are welcome too - however the key is I don't want traffic from non-Cloudflare sources to trigger a Cloud Run invocation (otherwise a DDoS could result in billing spike). Thus, filtering traffic inside the Cloud Run app is too late, an invocation has already occurred.
Seems like there may be a way to add on HTTPS Load Balancer + Cloud Armor to do IP whitelisting and only allow requests originating from Cloudflare's IPs...but I'd rather not start tacking on two other services and add $$ just to achieve this.
回答1:
Google Cloud Run supports two authorization mechanisms: unauthenticated (anyone/public) and OAuth Client ID. Cloudflare's Origin Pulls use TLS certificates, which means your Cloud Run application would need to verify the certificate as Google's Frontends do not support this. This would not accomplish your goal of preventing unauthorized invocations of Cloud Run.
In summary, unless your service is using OAuth Client IDs for authorization, there is no method to prevent Cloud Run service invocations except by limiting the maximum number of instances. If you have configured unauthenticated access, anyone calling your service endpoint will succeed in invoking your service or executing an overlapped request.
来源:https://stackoverflow.com/questions/65746861/use-cloudflare-authenticated-origin-pull-with-gcp-cloud-run