安全审计>> access-crl-worker-template>> 返回
项目作者: cloudflare

项目描述 :
A worker that can be used for doing basic CRL checks. It assumes that the request has gone through Access MTLS.
高级语言: JavaScript
项目地址: git://github.com/cloudflare/access-crl-worker-template.git
创建时间: 2020-02-20T18:16:34Z
项目社区:https://github.com/cloudflare/access-crl-worker-template
开源协议:Other
下载


Access CRL Worker Template

This worker fetches a CRL from a given endpoint and uses it to check if a certificate used with Cloudflare Access Mutual TLS is valid.

Configuration

There are a few setup steps needed to use this worker

  1. Create or reuse a Cloudflare Workers KV namespace and put the ID in your wrangler.toml file on the kv-namespaces line.

    1. If you are creating a new namespace, you can use wrangler to do it.
      1.  $ wrangler kv:namespace create CRL_NAMESPACE
    2. Copy the output of the command into your wrangler.toml file and replace the stub.

  2. Set the URL of your CRL

    1. If you are using wrangler version 1.8.0 or higher. Set the CRL_URL variable in your wrangler.toml file to your CRL URL.
    2. If you are using a wrangler version older than 1.8.0 Uncomment and replace the CRL_URL variable in index.js with the location of your CRL. Remove the vars line in the wrangler.toml file.

Deployment

Make sure you have set the needed configuration and then run the following.

  1. wrangler publish

Force refetch

By default we rely on the next update field in the CRL to know when to refresh the CRL. However you can force a refresh of the CRL by adding a force-crl-refresh: 1 header to the your request

Caveats

  1. Due to workers CPU time limits any CRL with more than 5000 serial numbers on it has a chance to hit the CPU time limit and fail.
  2. This worker will only check the CRL if the request coming in had a certifcate successfully presented to the Cloudflare edge.